CVE-2007-3949

Name of the Vulnerable Software and Affected Versions: lighttpd versions 1.4.15 and prior

Description: The issue allows remote attackers to bypass url.access-deny settings by ignoring trailing / (slash) characters in the URL. Additionally, multiple remote vulnerabilities exist, including errors in processing HTTP headers, mod auth, and parsing Auth-Digest headers, which can be exploited to cause a Denial of Service (DoS). An error in the mechanism that limits the number of active connections can also be exploited to cause a DoS. Furthermore, an error in processing HTTP requests can be exploited to access restricted files by adding a "/" to a URL. Other vulnerabilities include an error in mod scgi that can cause a DoS, and an issue with the return value of "base64 decode" in mod auth that can lead to accessing uninitialized memory. An error in the header parsing code can also lead to memory corruption.

Recommendations: For lighttpd versions 1.4.15 and prior, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the vulnerable mod auth and mod scgi modules until a patch is available. Avoid using the algorithm set to "MD5-sess" and without a cnonce in mod auth requests until the issue is resolved. Restrict the number of active connections to minimize the risk of exploitation. Avoid adding a "/" to URLs to access restricted files until the issue is resolved. Disable the use of base64 decode in mod auth until the issue is resolved. Apply configuration changes to limit the impact of the header parsing code error until a patch is available.