Description: Mattias Bengtsson and Philip Olausson have reported a vulnerability in lighttpd, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the mod_fastcgi extension when handling headers in a HTTP request. This can be exploited to e.g. add or replace PHP headers (e.g. SCRIPT_FILENAME) via a HTTP request containing an overly long header.
Successful exploitation allows execution of arbitrary PHP code.
The vulnerability affects versions prior to 1.4.18.
Solution: Update to version 1.4.18.
Provided and/or discovered by: Mattias Bengtsson and Philip Olausson, SECWEB
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
