Description

The configuration file for the FastCGI PHP support for lighttpd before 1.4.28 on Debian GNU/Linux creates a socket file with a predictable name in /tmp, which allows local users to hijack the PHP control socket and perform unauthorized actions such as forcing the use of a different version of PHP via a symlink attack or a race condition.

Remediation

References

CVE-2013-1427

Related Vulnerabilities

Craft CMS Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-27903)

WordPress Plugin Estatik Real Estate Arbitrary File Upload (2.3.0)

ownCloud Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2015-3013)

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-2223)

WordPress Plugin Appointments Cross-Site Scripting (2.2.2.2)

Severity

Low

Classification

CVE-2013-1427

Tags

Missing Update Known Vulnerabilities