EMBA firmware report

[+] Lighttpd analysis

This module tests for lighttpd configuration files and binaries

The configuration files are analysed for configuration issues.

The tests of these configuration files is based on the following sources:

    - Lighttpd - Docs_SSL

    - Alpine Linux - Lighttpd Advanced security

    - Hardening guide for lighttpd 1.4.26 on redhat Linux

==> Lighttpd binary analysis

[+] Version information found lighttpd/1.4.35 (ssl) - a light and fast webserver in binary /sbin/lighttpd (-rw-r--r-- 117 125) (license: bsd) (static).

[+] Version information found lighttpd/1.4.35 (ssl) - a light and fast webserver in binary /sbin/lighttpd (-rw-r--r-- 117 125) (license: bsd) (static).

[*] Vulnerability details for lighttpd / version 1.4.35 / source unknown:

	lighttpd            :   1.4.35      :   CVE-2019-11072    :   9.8       :   unknown        :   Exploit (Github: jreisinger_checkip (G))

	lighttpd            :   1.4.35      :   CVE-2018-19052    :   7.5       :   unknown        :   Exploit (Github: fklement_hades (G) iveresk_cve-2018-19052 (G))

	lighttpd            :   1.4.35      :   CVE-2015-3200     :   7.5       :   unknown        :   No exploit available

[+] Found 3 CVEs and 2 exploits (including POC's) in lighttpd with version 1.4.35 (source unknown).

[*] Testing lighttpd binaries for binary protection mechanisms:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE

No RELRO        No canary found   NX disabled   No PIE          RPATH     No RUNPATH   No Symbols	  No	0		11		/logs/firmware/patool_extraction/DUMP/mtdblock8_unblob_extracted/mtdblock8_extract/0-9650176.squashfs_v4_le_extract/sbin/lighttpd

[*] Testing lighttpd binaries for deprecated function calls:

==> Lighttpd configuration analysis for lighttpd_ssl.conf

[*] Testing web server configuration file /logs/firmware/patool_extraction/DUMP/mtdblock8_unblob_extracted/mtdblock8_extract/0-9650176.squashfs_v4_le_extract/etc/lighttpd/lighttpd_ssl.conf

[*] Testing web server user

[*] Testing web server root directory location

[*] Testing for additional web server binaries

[*] Testing for directory listing configuration

[*] Testing web server ssl.engine usage

[+] Possible configuration issue detected: Web server not using ssl engine

==> Lighttpd configuration analysis for lighttpd.conf

[*] Testing web server configuration file /logs/firmware/patool_extraction/DUMP/mtdblock8_unblob_extracted/mtdblock8_extract/0-9650176.squashfs_v4_le_extract/etc/lighttpd/lighttpd.conf

[*] Testing web server user

[*] Testing web server root directory location

[*] Testing for additional web server binaries

[*] Testing for directory listing configuration

[*] Testing web server ssl.engine usage

[+] Possible configuration issue detected: Web server not using ssl engine