LiteSpeed Web Server – Symlink Race Condition Vulnerability (R911-0083)

Type: Symlink Race Condition
Location: Local
Impact: High
Product: LiteSpeed Web Server
Website: http://www.litespeedtech.com
Vulnerable Version: 4.2.4
Fixed Version: 4.2.5
CVE:
R911: 0083
Date: 2013-10-31
By: Rack911

Product Description:

LiteSpeed Web Server (LSWS) is a high-performance Apache drop-in replacement. LSWS is the 4th most popular web server on the internet and the #1 commercial web server. Upgrading your web server to LiteSpeed Web Server will improve your performance and lower operating costs.

Vulnerability Description:

A malicious user can perform a carefully crafted symlink attack against LiteSpeed Web Server to obtain any file belonging to other customers on the same server. Using our unique symlink attack defeats all protection in the LiteSpeed Web Server in a matter of seconds.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that other user files may be accessible.

Vulnerable Version:

This vulnerability was tested against LiteSpeed Web Server v4.2.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in LiteSpeed Web Server v4.2.5.

Vendor Contact Timeline:

2013-10-14 Vendor contacted via email.
2013-10-14: Vendor confirms vulnerability.
2013-10-30: Vendor issues update.
2013-10-31: Rack911 issues security advisory.