ioncannon23
September 9th, 2009, 15:30
Hello all, My freebsd based server running Apache and NOT lighttpd is failing a Nessus scan which states that there is a lighttpd error as follows:
http (80/tcp) Medium 39006
Fail Synopsis :
The web server running on the remote host has an information
disclosure vulnerability.
Description :
The version of lighttpd installed on the remote host may disclose the source code of files such as PHP scripts when a '/' is appended to a URL
corresponding to a symbolic link. This vulnerability occurs only on certain operating systems (FreeBSD, Mac OS X, and Solaris prior to version
10 are known to be affected) and arises because of a bug in the operating system itself in which adding a trailing slash to a symbolic link
pointing to a regular file returns the link itself.
See also :
http://redmine.lighttpd.net/issues/1989
Solution :
Upgrade to lighttpd 1.4.23 when it becomes available.
CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin output :
Nessus was able to detect the vulnerability using the following
URL : http://www.mydomain.com/index.php/
BID : 35097
Other references : milw0rm:8786
Now since I do not have the lighttpd port installed, what is the deal with this? Does anyone know how to test this manually to see if it is a real issue and not a false positive?
thanks,
-ic
http (80/tcp) Medium 39006
Fail Synopsis :
The web server running on the remote host has an information
disclosure vulnerability.
Description :
The version of lighttpd installed on the remote host may disclose the source code of files such as PHP scripts when a '/' is appended to a URL
corresponding to a symbolic link. This vulnerability occurs only on certain operating systems (FreeBSD, Mac OS X, and Solaris prior to version
10 are known to be affected) and arises because of a bug in the operating system itself in which adding a trailing slash to a symbolic link
pointing to a regular file returns the link itself.
See also :
http://redmine.lighttpd.net/issues/1989
Solution :
Upgrade to lighttpd 1.4.23 when it becomes available.
CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin output :
Nessus was able to detect the vulnerability using the following
URL : http://www.mydomain.com/index.php/
BID : 35097
Other references : milw0rm:8786
Now since I do not have the lighttpd port installed, what is the deal with this? Does anyone know how to test this manually to see if it is a real issue and not a false positive?
thanks,
-ic