SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java
From the News Desk
Friday, 14. September 2007
lighttpd Vulernability Allows Remote Code Execution in fastcgi Apps
lighttpd is a secure, fast, compliant, and flexible Web server that has been optimized for high-performance environments. It has a very low memory footprint compared to other Web servers, and it takes care of CPU load. It has an advanced feature set that includes FastCGI (load balanced), CGI, Auth, Output-Compression, URL-Rewriting, SSL, and much more. lighttpd powers several popular Web 2.0 sites like YouTube, wikipedia and meebo. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative web-servers.
Mattias Bengtsson and Philip Olausson have reported a vulnerability in versions prior to 1.4.18, caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header. Successful exploitation allows execution of arbitrary PHP code. You are recommended to update to version 1.4.18.
Mattias Bengtsson and Philip Olausson have reported a vulnerability in versions prior to 1.4.18, caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header. Successful exploitation allows execution of arbitrary PHP code. You are recommended to update to version 1.4.18.
