PT-2015-15: Information Disclosure in LiteSpeed Web Server Vulnerable softwareLiteSpeed Web Server Version: 4.2.23 and earlierLinks: http://www.litespeedtech.com/Severity levelSeverity level: Medium Impact: Information Disclosure Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)CVE: not assignedSoftware descriptionLiteSpeed Web Server is a web application server. Vulnerability descriptionThe specialists of the Positive Research center have detected an Information Disclosure vulnerability in LiteSpeed Web Server.This vulnerability allows attackers to obtain the content of arbitrary memory locations in LiteSpeed Web Server. The exploitation of the vulnerability makes it possible to read arbitrary parts of HTTP requests that were made earlier. It may result in disclosure of sensitive data, information regarding configuration of the server; or in taking control over the session of an authorized user.How to fixUpdate your software up to the latest versionAdvisory status 20.03.2015 - Vendor gets vulnerability details 17.04.2015 - Vendor releases fixed version and details 17.11.2015 - Public disclosureCreditsThe vulnerability was detected by Semen Rozhkov, Positive Research Center (Positive Technologies Company)References http://en.securitylab.ru/lab/PT-2015-15 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/