Информационная безопасность
[RU] switch to English

Уязвимости безопасности в lighttpd
дополнено с 26 декабря 2011 г.
Опубликовано:2 января 2012 г.
SecurityVulns ID:12116
Уровень опасности:
Описание:Отказ в обслуживании при разборе base64
Затронутые продукты:LIGHTTPD : lighttpd 1.4
CVE:CVE-2011-4362 (Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.)
 CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.)
Оригинальный текстdocumentpi3_(at)_itsec.pl, Lighttpd Proof of Concept code for CVE-2011-4362 (02.01.2012)
 documentDEBIAN, [SECURITY] [DSA 2368-1] lighttpd security update (26.12.2011)
Файлы:Primitive Lighttpd Proof of Concept code for CVE-2011-4362 vulnerability

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород