ID CVE-2013-1427
Summary The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.
References
Vulnerable Configurations
  • Lighttpd 1.4.27
    cpe:2.3:a:lighttpd:lighttpd:1.4.27
  • lighttpd lighttpd 1.4.26
    cpe:2.3:a:lighttpd:lighttpd:1.4.26
  • lighttpd lighttpd 1.4.25
    cpe:2.3:a:lighttpd:lighttpd:1.4.25
  • lighttpd lighttpd 1.4.24
    cpe:2.3:a:lighttpd:lighttpd:1.4.24
  • lighttpd lighttpd 1.4.23
    cpe:2.3:a:lighttpd:lighttpd:1.4.23
  • lighttpd lighttpd 1.4.22
    cpe:2.3:a:lighttpd:lighttpd:1.4.22
  • lighttpd lighttpd 1.4.21
    cpe:2.3:a:lighttpd:lighttpd:1.4.21
  • lighttpd lighttpd 1.4.20
    cpe:2.3:a:lighttpd:lighttpd:1.4.20
  • lighttpd lighttpd 1.4.19
    cpe:2.3:a:lighttpd:lighttpd:1.4.19
  • lighttpd 1.4.18
    cpe:2.3:a:lighttpd:lighttpd:1.4.18
  • lighttpd 1.4.11
    cpe:2.3:a:lighttpd:lighttpd:1.4.11
  • lighttpd 1.4.16
    cpe:2.3:a:lighttpd:lighttpd:1.4.16
  • lighttpd 1.4.15
    cpe:2.3:a:lighttpd:lighttpd:1.4.15
  • lighttpd 1.4.12
    cpe:2.3:a:lighttpd:lighttpd:1.4.12
  • lighttpd 1.4.13
    cpe:2.3:a:lighttpd:lighttpd:1.4.13
  • lighttpd 1.4.10
    cpe:2.3:a:lighttpd:lighttpd:1.4.10
  • lighttpd 1.4.9
    cpe:2.3:a:lighttpd:lighttpd:1.4.9
  • lighttpd 1.4.8
    cpe:2.3:a:lighttpd:lighttpd:1.4.8
  • lighttpd 1.4.7
    cpe:2.3:a:lighttpd:lighttpd:1.4.7
  • lighttpd 1.4.6
    cpe:2.3:a:lighttpd:lighttpd:1.4.6
  • lighttpd 1.4.5
    cpe:2.3:a:lighttpd:lighttpd:1.4.5
  • lighttpd 1.4.4
    cpe:2.3:a:lighttpd:lighttpd:1.4.4
  • lighttpd 1.4.3
    cpe:2.3:a:lighttpd:lighttpd:1.4.3
  • lighttpd 1.3.16
    cpe:2.3:a:lighttpd:lighttpd:1.3.16
  • Debian Linux
    cpe:2.3:o:debian:debian_linux
CVSS
Base: 1.9 (as of 01-06-2016 - 16:25)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_LIGHTTPD_20140721.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. (CVE-2010-0295) - The configuration file for the FastCGI PHP support for lighthttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. (CVE-2013-1427) - Unspecified vulnerability in Lighthttpd in Oracle Solaris 11.1 allows attackers to cause a denial of service via unknown vectors. (CVE-2014-2469)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80699
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80699
    title Oracle Solaris Third-Party Patch Update : lighttpd (cve_2014_2469_denial_of)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2649.NASL
    description Stefan Buhler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version. As the fix is in a configuration file lying in /etc, the update won't be enforced if the file has been modified by the administrator. In that case, care should be taken to manually apply the fix.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65585
    published 2013-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65585
    title Debian DSA-2649-1 : lighttpd - fixed socket name in world-writable directory
  • NASL family Web Servers
    NASL id LIGHTTPD_1_4_28.NASL
    description According to its banner, the version of lighttpd running on the remote host is prior to 1.4.28. Therefore, it may be, affected by the following vulnerability : - The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-02-06
    plugin id 106626
    published 2018-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106626
    title lighttpd < 1.4.28 Insecure Temporary File Creation
refmap via4
bid 58528
debian DSA-2649
osvdb 91462
xf lighttpd-cve20131427-symlink(82897)
Last major update 01-06-2016 - 22:18
Published 21-03-2013 - 13:55
Last modified 28-08-2017 - 21:33
Back to Top