Several vulnerabilities in the Lighttpd web server
The Lighttpd web server contains vulnerabilities that can be exploited by attackers to perform denial-of-service attacks or to bypass security restrictions. According to an advisory published by the developers, appending a slash to a URL allows access to protected data. Other bugs reside in the mod_auth and mod_scgi modules, which crash when certain requests are processed. Finally, an HTTP header processing vulnerability and an out-of-bounds vulnerability relating to the maximum number of active connections might also be exploited for DoS attacks. The bugs have been found in Lighttpd version 1.4.15. Prior versions may also be affected. While these flaws have been fixed in the developer repositories (http://trac.lighttpd.net/trac/), an official patch has not been provided yet.
Lighttpd, or Lighty, is a resource-efficient, fast web server that can be extended with modules, similar to the Apache web server. Lighttpd supports PHP, Python and Ruby. With its low CPU and memory requirements it is well suited for embedded systems. Sites powered by Lighttpd or customized Lighty versions include YouTube, SourceForge and Wikipedia .
See also:
- Changeset 1875, security advisory from Lighttpd
- lighty 1.4.13 crashes with accessing out of bound fd array index, security advisory from Lighttpd
- appending / to URL breaks access-deny setting, security advisory from Lighttpd
- Segmentation fault in mod_scgi, security advisory from Lighttpd
- Lighttpd consumes > 1GB of memory, security advisory from Lighttpd
(mba)