This exploit is just a proof of concept for a file disclosure vulnerability. It would take quite a bit of effort on the part of an attacker to gain complete control of a system with it. Although this particular exploit would not allow an attacker to get remote root control of a web server, I would still upgrade as soon as possible.
It's not really a "proof of concept" considering it's got an actual exploit code with it. I was unable to test it because I don't have a LSWS with an active license, and I couldn't get another trial license to work - it just fails to start.
It looks legit to me though. Wait for LiteSpeed or mistwang here to confirm/deny it.
That's the definition of "proof of concept" as commonly understood in the security research community.
In my mind, a "proof of concept" would be a mostly harmless exploit, something without any payload - you can download the config.php of any webapp you desire (that's hosted on LSWS) with that script, that's hardly harmless.
Out of interest, what version are you guys running?
I just tried it on 4.0.14 and it didn't work.
EZPZ Hosting - Dependable and Affordable UK and US Web Hosting LiteSpeed Powered cPanel Shared with R1Soft and Softaculous | Budget VPS, Managed VPS and Dedicated | Shoutcast Reseller Hosting Specialists | WHMCS-Based End User Support | Unlimited SSLs | CloudFlare 99.9% Uptime Guarantee | 24/7 Support | 30 Day Money Back Guarantee |
4.0.14 is vulnerable under my tests.
bin/lshttpd.4.0.14: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
However, the exploit linked here did *NOT* work. I had to write my own version to get reproducible effects.
Here is the source: pastebin.ca/1882204 (can't directly link, I don't have 5 posts )
-05:04:20- seraphic:~/test luna% ./litespeed.pl <censored> /test.php
[.] webserver accepted the request
[.] <censored>:80 is running LiteSpeed
[+] file (test.php.txt) has been saved.
-05:07:03- seraphic:~/test luna% cat <censored>\:80-test.php
$super_secure_password = "vulnerable";
Yes, I am aware the reported file it saves to is wrong, I wrote it at 4 in the morning. Cut me a little slack.
Let everybody you know running LiteSpeed (especially in place of Apache on cPanel servers, like I'm doing) to either hotfix with mod_security (does this work?) or switch back to Apache until an upgrade is released.