![]() Remote Code Execution ( CVE-2022-0073) rated High severity (CVSS 8.8)Īt the first stage of the attack, we tried to gain remote code execution and found that the OpenLiteSpeed Web Server admin dashboard is vulnerable to a command injection vulnerability. This vulnerability applies to OpenLiteSpeed and LiteSpeed Enterprise WebAdmin Console, and is only exploitable after WebAdmin Authentication has been achieved.Īdditionally, you must have root privileges in order to upload a custom exploit under /usr/local/lsws/admin/html. An attacker that compromised the server could create a secret backdoor and exploit the vulnerability to access it. was a directory traversal vulnerability that could allow an attacker to bypass security measures and access forbidden files. Palo Alto Networks has already released information about these CVEs, but we would like to expand on this, below. On October 20th, our Docker Images for both OLS and LSWS were updated. On October 18th, we pushed the related updates to OpenLiteSpeed v1.7.16 as Build 1 On October 12th, we pushed the related updates to LiteSpeed Enterprise v6.0.12 as Build 10 During this period we monitored the changes and ensured they were not affecting anything else. On October 8th, we internally remediated these bugs and put them into testing. LiteSpeed’s Team acted swiftly and informed Unit 42 that the issues were under remediation. We would like to thank the Unit 42 Team at Palo Alto Networks for responsibly disclosing security issues in our OpenLiteSpeed and LiteSpeed Enterprise web servers on October 4th, and maintaining good communication throughout. Future security updates will be released with incremented version numbers, and will no longer be released as new builds of existing version numbers.You should upgrade to the latest version and build of OpenLiteSpeed or LiteSpeed Enterprise, as appropriate.One is within the Docker system, and the other two cannot be exploited without WebAdmin access. These vulnerabilities don’t impact the majority of our clients.These were fixed in OpenLiteSpeed v1.7.16 Build 1 and LiteSpeed Enterprise v6.0.12 Build 10. Three vulnerabilities were reported to LiteSpeed.Today, as a part of that commitment, we want to share details of certain bugs reported in OpenLiteSpeed (OLS) and LiteSpeed Enterprise (LSWS) web servers. Our priority is to empower our customers to better protect their systems, but we also take such situations as learning opportunities. So when a vulnerability is discovered, we act quickly. Restart the ListeSpeed server for the options to take effectĪt this point, the WP Hide plugin can be activated and configured, it will automatically generate and deploy the necessary rewrite rules to make the required features and functionality to run.Security has always been at the forefront of our development process at LiteSpeed Technologies. Select the Rewrite tab in the horizontal navigationĬlick to edit Rewrite Control area and set the Enable Rewrite to Yes also Auto Load from. Open the LiteSpeed WebAdmin Console, and access the Virtual Hosts:Ĭhoose the host from the list where the site is being deployed Before starting to use WP Hide, ensure the Rewrites are turned on: ![]() htacces file so none of the lines will be processed. ![]() As default, OpenLiteSpeed Edition is not configured to parse the. The LiteSpeed Web Server uses similar rewrites as Apache, so the rules can be placed on. With its comprehensive range of features and easy web administration graphical console, LiteSpeed Web Server can help you deliver the best performances out of existing hosting solution. LiteSpeed Web Server can be used to replace an existing Apache system, without changing other applications or operating system details. Being used on near 3% of total websites is the 4th as popularity worldwide. LiteSpeed Web Server is one of the best high-performance and high-scalability webserver type.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |