Filtered by vendor Lighttpd
Subscriptions
Filtered by product Lighttpd
Subscriptions
Total
34 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2008-0983 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. | ||||
CVE-2007-4727 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow." | ||||
CVE-2007-3950 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
lighttpd 1.4.15, when run on 32 bit platforms, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving the use of incompatible format specifiers in certain debugging messages in the (1) mod_scgi, (2) mod_fastcgi, and (3) mod_webdav modules. | ||||
CVE-2007-3949 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
mod_access.c in lighttpd 1.4.15 ignores trailing / (slash) characters in the URL, which allows remote attackers to bypass url.access-deny settings. | ||||
CVE-2007-3948 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts. | ||||
CVE-2007-3947 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
request.c in lighttpd 1.4.15 allows remote attackers to cause a denial of service (daemon crash) by sending an HTTP request with duplicate headers, as demonstrated by a request containing two Location header lines, which results in a segmentation fault. | ||||
CVE-2007-3946 | 1 Lighttpd | 1 Lighttpd | 2018-10-15 | N/A |
mod_auth (http_auth.c) in lighttpd before 1.4.16 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving (1) a memory leak, (2) use of md5-sess without a cnonce, (3) base64 encoded strings, and (4) trailing whitespace in the Auth-Digest header. | ||||
CVE-2008-4298 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | N/A |
Memory leak in the http_request_parse function in request.c in lighttpd before 1.4.20 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests with duplicate request headers. | ||||
CVE-2008-1270 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | N/A |
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. | ||||
CVE-2008-1111 | 1 Lighttpd | 1 Lighttpd | 2018-10-11 | N/A |
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. | ||||
CVE-2013-1427 | 2 Debian, Lighttpd | 2 Debian Linux, Lighttpd | 2017-08-29 | N/A |
The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition. | ||||
CVE-2012-5533 | 1 Lighttpd | 1 Lighttpd | 2017-08-29 | N/A |
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. | ||||
CVE-2010-0295 | 1 Lighttpd | 1 Lighttpd | 2017-08-17 | N/A |
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. | ||||
CVE-2006-0760 | 1 Lighttpd | 1 Lighttpd | 2017-07-20 | N/A |
LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected capitalization, as demonstrated by a request for index.PHP when the configuration invokes the PHP interpreter only for ".php" names. |