In association with heise online

23 July 2007, 13:51

Several vulnerabilities in the Lighttpd web server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Lighttpd web server contains vulnerabilities that can be exploited by attackers to perform denial-of-service attacks or to bypass security restrictions. According to an advisory published by the developers, appending a slash to a URL allows access to protected data. Other bugs reside in the mod_auth and mod_scgi modules, which crash when certain requests are processed. Finally, an HTTP header processing vulnerability and an out-of-bounds vulnerability relating to the maximum number of active connections might also be exploited for DoS attacks. The bugs have been found in Lighttpd version 1.4.15. Prior versions may also be affected. While these flaws have been fixed in the developer repositories (, an official patch has not been provided yet.

Lighttpd, or Lighty, is a resource-efficient, fast web server that can be extended with modules, similar to the Apache web server. Lighttpd supports PHP, Python and Ruby. With its low CPU and memory requirements it is well suited for embedded systems. Sites powered by Lighttpd or customized Lighty versions include YouTube, SourceForge and Wikipedia .

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit