Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LiteSpeed Web Server 5.1.0 HTTP Header Injection

🗓️ 20 Jan 2016 00:00:00Reported by Onur YILMAZType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

LiteSpeed Web Server 5.1.0 HTTP Header Injection vulnerability discovered by Netsparker

Code
`Information  
--------------------  
Advisory by Netsparker  
Name: HTTP Header Injection in LiteSpeed Web Server  
Affected Software : LiteSpeed Web Server  
Affected Versions: v5.1.0 and possibly below  
Vendor Homepage : https://www.litespeedtech.com/  
Vulnerability Type : HTTP Header Injection  
Severity : Medium  
Status : Fixed  
CVE-ID : TBA  
Netsparker Advisory Reference : NS-16-001  
  
Description  
--------------------  
While testing Netsparker, we spotted an HTTP Header Injection  
vulnerability in LiteSpeed.  
  
LiteSpeed Web Server v5.1.0 and possibly below are affected if  
mod_userdir is enabled. This vulnerability can be exploited in various  
ways depending on the application.  
  
Technical Details  
--------------------  
Proof of Concept URL for HTTP Header Injection in LiteSpeed Web Server:  
  
/~%0d%0aSet-Cookie:Scanner=Netsparker%0d%0a  
  
Advisory Timeline  
--------------------  
15 Jan 2016 - First Contact  
18 Jan 2016 - Vendor Fixed  
20 Jan 2016 - Advisory Released  
  
Solution  
--------------------  
Patch released by LiteSpeed and annocunced here:  
https://www.litespeedtech.com/products/litespeed-web-server/release-log.  
Download the latest version.  
  
Credits & Authors  
--------------------  
This issue has been discovered by Ziyahan Albeniz while testing  
Netsparker Web Application Security Scanner  
(https://www.netsparker.com).  
  
About Netsparker  
--------------------  
Netsparker web application security scanners find and report security  
flaws and vulnerabilities such as SQL Injection and Cross-site  
Scripting (XSS) in all websites and web applications, regardless of  
the platform and technology they are built on. Netsparker scanning  
engine’s unique detection and exploitation techniques allow it to be  
dead accurate in reporting vulnerabilities, hence it does not report  
any false positives. The Netsparker web application security scanner  
is available in two editions; Netsparker Desktop and Netsparker Cloud.  
Visit our website https://www.netsparker.com for more information.  
  
Onur Yılmaz - National General Manager  
  
Netsparker Web Application Security Scanner  
T: +90 (0)554 873 0482  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jan 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
litespeed web serverhttp header injectionnetsparkervulnerabilitypatchweb security scannerurlvendormod_userdirseveritycve-idproof of conceptadvisorysolutionpatchreleasedcreditsauthorsexploitation techniquesfalse positivesnationalmanager
33