Local File Inclusion in lighttpd on Debian GNU/Linux
CVE-2013-1427

Currently unrated

Key Information:

Vendor: Lighttpd
Status: Lighttpd
Vendor: CVE Published:; 21 March 2013

What is CVE-2013-1427?

The FastCGI PHP support for lighttpd prior to version 1.4.28 on Debian GNU/Linux contains a vulnerability where the configuration file creates a socket file with a predictable name in the /tmp directory. This predictability allows local users to hijack the PHP control socket, potentially enabling them to execute unauthorized commands. Attackers can leverage this vulnerability through symlink attacks or race conditions to manipulate the PHP environment and impact system behavior.

References

http://osvdb.org/91462

vdb-entryx_refsource_OSVDB

https://exchange.xforce.ibmcloud.com/vulnerabilities/82897

vdb-entryx_refsource_XF

http://www.securityfocus.com/bid/58528

vdb-entryx_refsource_BID

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2013
Vulnerability Reserved
Jan 26, 2013

Lighttpd

What is CVE-2013-1427?

References

Timeline