CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
97.0%
The remote web server appears to be lighttpd running with the FastCGI module (mod_fastcgi). The version of the FastCGI module on the remote host is affected by a buffer overflow vulnerability. A remote attacker can exploit this, by sending a specially crafted request with a long header, to add or replace headers passed to PHP, such as SCRIPT_FILENAME, which in turn could result in arbitrary code execution.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(26057);
script_version("1.20");
script_cve_id("CVE-2007-4727");
script_bugtraq_id(25622);
script_name(english:"lighttpd mod_fastcgi HTTP Request Header Remote Overflow");
script_summary(english:"Sends a long header to lighttpd.");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote web server appears to be lighttpd running with the FastCGI
module (mod_fastcgi). The version of the FastCGI module on the remote
host is affected by a buffer overflow vulnerability. A remote attacker
can exploit this, by sending a specially crafted request with a long
header, to add or replace headers passed to PHP, such as
SCRIPT_FILENAME, which in turn could result in arbitrary code
execution.");
# https://web.archive.org/web/20080120064737/http://www.secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b18fbfb0");
script_set_attribute(attribute:"solution", value:
"Upgrade to lighttpd version 1.4.18 or later. Alternatively, disable
the FastCGI module.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value: "2007/09/17");
script_set_attribute(attribute:"vuln_publication_date", value: "2007/09/10");
script_cvs_date("Date: 2018/07/13 15:08:46");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:lighttpd:lighttpd");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("lighttpd_detect.nasl");
script_require_keys("installed_sw/lighttpd", "www/php");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");
include("install_func.inc");
get_install_count(app_name:"lighttpd", exit_if_zero:TRUE);
port = get_http_port(default:80, embedded:TRUE, php:TRUE);
install = get_single_install(app_name:"lighttpd", port:port);
# Make sure the server itself works.
url = "/";
rq = http_mk_get_req(item:url, port:port);
w = http_send_recv_req(port: port, req: rq);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer.");
# If it does...
if (w[0] =~ "^HTTP/.* 200 ")
{
# Send the same request but with a long header.
# nb: the size of the environment needs to exceed FCGI_MAX_LENGTH,
# as defined in src/fastcgi.h. By default, it's 0xffff so
# this is probably more than what we need.
rq['Nessus'] = crap(0xffff);
w = http_send_recv_req(port: port, req: rq);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer.");
# There's a problem unless we get a 400 (bad request) or 431
# (request header too long) response.
if (w[0] !~ "^HTTP/.* (400|431) ")
{
security_warning(port);
exit(0);
}
}
audit(AUDIT_LISTEN_NOT_VULN, "lighttpd", port, install["version"]);