DSA-2649-1 lighttpd -- fixed socket name in world-writable directoryID: oval:org.secpod.oval:def:600995 | Date: (C)2013-03-19 (M)2022-10-10 |
Class: PATCH | Family: unix |
Stefan Bühler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version. As the fix is in a configuration file lying in /etc, the update won"t be enforced if the file has been modified by the administrator. In that case, care should be taken to manually apply the fix.