# PCI Scan failing because of lighttpd



## ioncannon23 (Sep 9, 2009)

Hello all, My freebsd based server running Apache and NOT lighttpd is failing a Nessus scan which states that there is a lighttpd error as follows:


```
http  (80/tcp) Medium 39006

Fail Synopsis :

The web server running on the remote host has an information
disclosure vulnerability.

Description :

The version of lighttpd installed on the remote host may disclose the source code of files such as PHP scripts when a '/' is appended to a URL 
corresponding to a symbolic link. This vulnerability occurs only on certain operating systems (FreeBSD, Mac OS X, and Solaris prior to version 
10 are known to be affected) and arises because of a bug in the operating system itself in which adding a trailing slash to a symbolic link 
pointing to a regular file returns the link itself.

See also :

[url]http://redmine.lighttpd.net/issues/1989[/url]

Solution :

Upgrade to lighttpd 1.4.23 when it becomes available.

CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin output :
Nessus was able to detect the vulnerability using the following
URL : [url]http://www.mydomain.com/index.php/[/url]

BID : 35097

Other references : milw0rm:8786
```

Now since I do not have the lighttpd port installed, what is the deal with this?  Does anyone know how to test this manually to see if it is a real issue and not a false positive?

thanks,

-ic


----------



## vivek (Sep 9, 2009)

Type the following command and give us output:

```
sockstat -p80 -4l
```


----------



## ioncannon23 (Sep 9, 2009)

Sure


```
# sockstat -p80 -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      httpd      65717 3  tcp46  *:80                  *:*
www      httpd      65686 3  tcp46  *:80                  *:*
www      httpd      65685 3  tcp46  *:80                  *:*
www      httpd      65684 3  tcp46  *:80                  *:*
www      httpd      65656 3  tcp46  *:80                  *:*
www      httpd      65501 3  tcp46  *:80                  *:*
www      httpd      65495 3  tcp46  *:80                  *:*
www      httpd      65493 3  tcp46  *:80                  *:*
www      httpd      65450 3  tcp46  *:80                  *:*
www      httpd      65447 3  tcp46  *:80                  *:*
www      httpd      65442 3  tcp46  *:80                  *:*
www      httpd      65374 3  tcp46  *:80                  *:*
www      httpd      65345 3  tcp46  *:80                  *:*
www      httpd      65339 3  tcp46  *:80                  *:*
www      httpd      65238 3  tcp46  *:80                  *:*
root     httpd      65163 3  tcp46  *:80                  *:*
```


----------



## phospher (Sep 10, 2009)

i've found that you really have to watch nessus as it flags a lot of false positives. if you were in-fact running lighty you would not see "httpd" with that sockstat command. instead you would see something like this;


```
bsd01# sockstat -p80 -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      lighttpd   728   5  tcp4   *:80                  *:*
```


----------

