From 23a6b3fb247d512763c6d3cd6525e8efe482b1de Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 2 Feb 2023 16:02:29 +0100 Subject: [PATCH 1/2] lighttpd module --- config/report_templates/S36_lighttpd-pre.sh | 12 + modules/S36_lighttpd.sh | 311 ++++++++++++++++++++ 2 files changed, 323 insertions(+) create mode 100755 config/report_templates/S36_lighttpd-pre.sh create mode 100755 modules/S36_lighttpd.sh diff --git a/config/report_templates/S36_lighttpd-pre.sh b/config/report_templates/S36_lighttpd-pre.sh new file mode 100755 index 000000000..ee199dfff --- /dev/null +++ b/config/report_templates/S36_lighttpd-pre.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +print_output "This module tests for lighttpd configuration files and binaries" +print_output "The configuration files are analysed for configuration issues." +print_ln +print_output "The tests of these configuration files is based on the following sources:" +print_output "$(indent "$(orange "- Lighttpd - Docs_SSL")")" +write_link "https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL" +print_output "$(indent "$(orange "- Alpine Linux - Lighttpd Advanced security")")" +write_link "https://wiki.alpinelinux.org/wiki/Lighttpd_Advanced_security" +print_output "$(indent "$(orange "- Hardening guide for lighttpd 1.4.26 on redhat Linux")")" +write_link "https://security-24-7.com/hardening-guide-for-lighttpd-1-4-26-on-redhat-5-5-64bit-edition/" diff --git a/modules/S36_lighttpd.sh b/modules/S36_lighttpd.sh new file mode 100755 index 000000000..98c7a7f5e --- /dev/null +++ b/modules/S36_lighttpd.sh @@ -0,0 +1,311 @@ +#!/bin/bash -p + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2023 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner +# +# Description: This module tests identified lighttpd configuration files for interesting areas. +# It is based on details from the following sources: +# https://wiki.alpinelinux.org/wiki/Lighttpd_Advanced_security +# https://security-24-7.com/hardening-guide-for-lighttpd-1-4-26-on-redhat-5-5-64bit-edition/ +# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL +# The module results should be reviewed in details. There are probably a lot of cases +# which we are currently not handling correct. + + +S36_lighttpd() { + module_log_init "${FUNCNAME[0]}" + module_title "Lighttpd analysis" + pre_module_reporter "${FUNCNAME[0]}" + + local NEG_LOG=0 + local LIGHTTP_CFG_ARR=() + local LIGHTTP_BIN_ARR=() + local FILE="" + + readarray -t LIGHTTP_CFG_ARR < <( find "$FIRMWARE_PATH" -xdev "${EXCL_FIND[@]}" -iname '*lighttp*conf*' -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 ) + readarray -t LIGHTTP_BIN_ARR < <( find "$FIRMWARE_PATH" -xdev "${EXCL_FIND[@]}" -type f -iname 'lighttpd' -exec file {} \; 2>/dev/null | grep "ELF" | cut -d ':' -f1 | sort -u ) + + if [[ ${#LIGHTTP_BIN_ARR[@]} -gt 0 ]] ; then + lighttpd_binary_analysis "${LIGHTTP_BIN_ARR[@]}" + fi + + if [[ ${#LIGHTTP_CFG_ARR[@]} -gt 0 ]] ; then + for FILE in "${LIGHTTP_CFG_ARR[@]}" ; do + lighttpd_config_analysis "$FILE" "${LIGHT_VERSIONS[@]}" + write_csv_log "Lighttpd web server configuration file" "$(basename "$FILE")" "$FILE" + local NEG_LOG=1 + done + else + print_output "[-] No Lighttpd related configuration files found" + fi + + module_end_log "${FUNCNAME[0]}" "$NEG_LOG" +} + +lighttpd_binary_analysis() { + sub_module_title "Lighttpd binary analysis" + local LIGHTTP_BIN_ARR="${@}" + export LIGHT_VERSIONS=() + + if [[ -f "$CSV_DIR/s09_firmware_base_version_check.csv" ]] && grep -q "lighttpd" "$CSV_DIR"/s09_firmware_base_version_check.csv; then + # if we already have results from s09 we just use them + mapfile -t LIGHT_VERSIONS < <(grep "lighttpd" "$CSV_DIR"/s09_firmware_base_version_check.csv | cut -d\; -f4 | sort -u || true) + else + # most of the time we run through the lighttpd version identifiers and check them against the lighttpd binaries + while read -r VERSION_LINE; do + if safe_echo "$VERSION_LINE" | grep -v -q "^[^#*/;]"; then + continue + fi + if safe_echo "$VERSION_LINE" | grep -q ";no_static;"; then + continue + fi + if safe_echo "$VERSION_LINE" | grep -q ";live;"; then + continue + fi + + CSV_REGEX="$(echo "$VERSION_LINE" | cut -d\; -f5)" + LIC="$(safe_echo "$VERSION_LINE" | cut -d\; -f3)" + BIN_NAME="$(safe_echo "$VERSION_LINE" | cut -d\; -f1)" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_LINE" | cut -d\; -f4)" + VERSION_IDENTIFIER="${VERSION_IDENTIFIER/\"}" + VERSION_IDENTIFIER="${VERSION_IDENTIFIER%\"}" + + for BIN in "${LIGHTTP_BIN_ARR[@]}" ; do + VERSION_FINDER=$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null || true) + if [[ -n $VERSION_FINDER ]]; then + print_ln "no_log" + print_output "[+] Version information found ${RED}$VERSION_FINDER${NC}${GREEN} in binary $ORANGE$(print_path "$BIN")$GREEN (license: $ORANGE$LIC$GREEN) (${ORANGE}static${GREEN})." + get_csv_rule "$VERSION_FINDER" "$CSV_REGEX" + LIGHT_VERSIONS+=( "$CSV_RULE" ) + continue + fi + done + done < <(grep "^lighttpd" "$CONFIG_DIR"/bin_version_strings.cfg) + fi + eval "LIGHT_VERSIONS=($(for i in "${LIGHT_VERSIONS[@]}" ; do echo "\"$i\"" ; done | sort -u))" + + if [[ ${#LIGHT_VERSIONS[@]} -gt 0 ]] ; then + print_ln + # lets do a quick vulnerability check on our lighttpd version + if ! [[ -d "$LOG_PATH_MODULE"/cve_sum ]]; then + mkdir "$LOG_PATH_MODULE"/cve_sum + fi + for LIGHT_VER in "${LIGHT_VERSIONS[@]}"; do + cve_db_lookup_version "$LIGHT_VER" + done + + # check for binary protections on lighttpd binaries + print_ln + print_output "[*] Testing lighttpd binaries for binary protection mechanisms:\\n" + for BIN in "${LIGHTTP_BIN_ARR[@]}" ; do + print_output "$("$EXT_DIR"/checksec --file="$BIN")" + done + + print_ln + print_output "[*] Testing lighttpd binaries for deprecated function calls:\\n" + VULNERABLE_FUNCTIONS_VAR="$(config_list "$CONFIG_DIR""/functions.cfg")" + IFS=" " read -r -a VULNERABLE_FUNCTIONS <<<"$( echo -e "$VULNERABLE_FUNCTIONS_VAR" | sed ':a;N;$!ba;s/\n/ /g' )" + if ( file "$BIN" | grep -q "x86-64" ) ; then + function_check_x86_64 "$BIN" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "Intel 80386" ) ; then + function_check_x86 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "32-bit.*ARM" ) ; then + function_check_ARM32 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "64-bit.*ARM" ) ; then + function_check_ARM64 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "MIPS" ) ; then + function_check_MIPS "$BIN" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "PowerPC" ) ; then + function_check_PPC32 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BIN" | grep -q "Altera Nios II" ) ; then + function_check_NIOS2 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" + elif ( file "$BINARY" | grep -q "QUALCOMM DSP6" ) ; then + radare_function_check_hexagon "$BIN" "${VULNERABLE_FUNCTIONS[@]}" + fi + fi +} + +lighttpd_config_analysis() { + local LIGHTTPD_CONFIG="${1:-}" + shift + local LIGHT_VERSIONS="${@}" + local SSL_ENABLED=0 + + if ! [[ -f "$LIGHTTPD_CONFIG" ]]; then + print_output "[-] No configuration file available" + return + fi + sub_module_title "Lighttpd configuration analysis for $(basename "$LIGHTTPD_CONFIG")" + + print_output "[*] Testing web server configuration file $ORANGE$LIGHTTPD_CONFIG$NC\\n" + print_output "[*] Testing web server user" + if grep "user=root" "$LIGHTTPD_CONFIG" | grep -E -v -q "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server running as root user:$NC" + print_output "$(indent "$(orange "$(grep "user=root" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + if grep -E "server.username.*root" "$LIGHTTPD_CONFIG" | grep -E -v -q "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server running as root user:$NC" + print_output "$(indent "$(orange "$(grep -E "server.username.*root" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server root directory location" + if grep -E "server_root\|server\.document-root" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[*] ${ORANGE}Configuration note:${NC} Web server using the following root directory" + print_output "$(indent "$(orange "$(grep -E "server_root\|server\.document-root" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing for additional web server binaries" + if grep -E "bin-path" "$LIGHTTPD_CONFIG" | grep -E -v -q "^([[:space:]])?#"; then + print_output "[*] ${ORANGE}Configuration note:${NC} Web server using the following additional binaries" + print_output "$(indent "$(orange "$(grep -E "bin-path" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing for directory listing configuration" + if grep -E "dir-listing.activate.*enable" "$LIGHTTPD_CONFIG" | grep -E -v -q "^([[:space:]])?#"; then + print_output "[+] Configuration issue detected: ${ORANGE}Web server allows directory listings$NC" + print_output "$(indent "$(orange "$(grep -E "dir-listing.activate.*enable" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + if grep -E "server.dir-listing.*enable" "$LIGHTTPD_CONFIG" | grep -E -v -q "^([[:space:]])?#"; then + print_output "[+] Configuration issue detected: ${ORANGE}Web server allows directory listings$NC" + print_output "$(indent "$(orange "$(grep -E "server.dir-listing.*enable" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server ssl.engine usage" + if ! grep -E "ssl.engine.*enable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not using ssl engine$NC" + else + SSL_ENABLED=1 + fi + + if [[ "$SSL_ENABLED" -eq 1 ]]; then + print_output "[*] Testing web server pemfile location" + if grep -E "ssl.pemfile" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[*] ${ORANGE}Configuration note:$NC Web server using the following pem file" + print_output "$(indent "$(orange "$(grep -E "ssl.pemfile" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + mapfile -t PEM_FILES < <(grep -E "ssl.pemfile" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#" | cut -d= -f2 | tr -d '"') + for PEM_FILE in "${PEM_FILES[@]}"; do + PEM_FILE=$(echo "$PEM_FILE" | tr -d "[:space:]") + mapfile -t REAL_PEMS < <(find "$FIRMWARE_PATH" -wholename "*$PEM_FILE") + for REAL_PEM in "${REAL_PEMS[@]}"; do + print_output "[*] ${ORANGE}Configuration note:${NC} Web server pem file found: $ORANGE$REAL_PEM$NC" + print_output "[*] $(find "$REAL_PEM" -ls)" + # Todo: check for permissions 400 on pem file + if [[ "$(stat -c "%a" "$REAL_PEM")" -ne 400 ]]; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Privileges of web server pem file not correct$NC" + fi + done + done + fi + print_output "[*] Testing web server private key file" + if grep -E "ssl.privkey" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[*] ${ORANGE}Configuration note:${NC} Web server using the following private key file" + print_output "$(indent "$(orange "$(grep -E "ssl.privkey" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server BEAST mitigation" + if grep -E "ssl.disable-client-renegotiation.*disable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not mitigating the BEAST attack (CVE-2009-3555) via ssl.disable-client-renegotiation.$NC" + print_output "$(indent "$(orange "$(grep -E "ssl.disable-client-renegotiation.*disable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#")")")" + fi + if grep -E "ssl.honor-cipher-order.*disable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + # defaults to enable -> we only need to check if it is disabled + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not mitigating the BEAST attack (CVE-2009-3555) via ssl.honor-cipher-order.$NC" + print_output "$(indent "$(orange "$(grep -E "ssl.honor-cipher-order.*disable" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server for SSL ciphers supported" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list\|ssl.openssl.ssl-conf-cmd" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + + if grep "ssl.cipher-list\|ssl.openssl.ssl-conf-cmd" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + + print_output "[*] Testing web server POODLE attack mitigation" + if grep -E "ssl.cipher-list.*:SSLv3" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + if [[ ${#LIGHT_VERSIONS[@]} -eq 0 ]] ; then + # if we have no version detected we show this issue: + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not mitigating the POODLE attack (CVE-2014-3566) via disabled SSLv3 ciphers.$NC" + print_output "[*] Note that SSLv3 is automatically disabled on lighttpd since version ${ORANGE}1.4.36${NC}" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + for LIGHT_VER in "${LIGHT_VERSIONS[@]}"; do + LIGHT_VER="${LIGHT_VER/*:/}" + if [[ "$(version "$LIGHT_VER")" -le "$(version "1.4.35")" ]]; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not mitigating the POODLE attack (CVE-2014-3566) via disabled SSLv3 ciphers.$NC" + print_output "[*] Note that SSLv3 is automatically disabled on lighttpd since version ${ORANGE}1.4.36${NC}" + print_output "[*] EMBA detected lighttpd version ${ORANGE}$LIGHT_VER${NC}" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + done + fi + + print_output "[*] Testing web server enabled SSLv2" + if grep -E "ssl.use-sslv2.*enable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server enables SSLv2 ciphers.$NC" + print_output "$(indent "$(orange "$(grep -E "ssl.use-sslv2" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server enabled SSLv3" + if grep -E "ssl.use-sslv3.*enable" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server enables SSLv3 ciphers.$NC" + print_output "$(indent "$(orange "$(grep -E "ssl.use-sslv3" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server FREAK attack mitigation" + if grep -E "ssl.cipher-list.*:EXPORT" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling EXPORT ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server NULL ciphers" + if grep -E "ssl.cipher-list.*:[ae]NULL" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling NULL ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server RC4 ciphers" + if grep -E "ssl.cipher-list.*:RC4" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling RC4 ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server DES ciphers" + if grep -E "ssl.cipher-list.*:DES" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling DES ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -q -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server 3DES ciphers" + if grep -E "ssl.cipher-list.*:3DES" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling 3DES ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -q -E -v "^([[:space:]])?#")")")" + fi + + print_output "[*] Testing web server MD5 ciphers" + if grep -E "ssl.cipher-list.*:MD5" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server not disabling MD5 ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -q -E -v "^([[:space:]])?#")")")" + fi + + # lighttpd implicitly applies ssl.cipher-list = "HIGH" (since lighttpd 1.4.54) if ssl.cipher-list is not explicitly set in lighttpd.conf. + print_output "[*] Testing web server LOW ciphers" + if grep -E "ssl.cipher-list.*:LOW" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server enabling LOW ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -q -E -v "^([[:space:]])?#")")")" + fi + print_output "[*] Testing web server MEDIUM ciphers" + if grep -E "ssl.cipher-list.*:MEDIUM" "$LIGHTTPD_CONFIG" | grep -q -E -v "^([[:space:]])?#"; then + print_output "[+] Possible configuration issue detected: ${ORANGE}Web server enabling MEDIUM ciphers.$NC" + print_output "$(indent "$(orange "$(grep "ssl.cipher-list" "$LIGHTTPD_CONFIG" | sort -u | grep -q -E -v "^([[:space:]])?#")")")" + fi + fi + fi +} From c0b8d286a5960a60dbb2890cdd541d8f487d2e91 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 2 Feb 2023 16:12:42 +0100 Subject: [PATCH 2/2] shellcheck my friend --- modules/S36_lighttpd.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/S36_lighttpd.sh b/modules/S36_lighttpd.sh index 98c7a7f5e..8fe856308 100755 --- a/modules/S36_lighttpd.sh +++ b/modules/S36_lighttpd.sh @@ -53,7 +53,7 @@ S36_lighttpd() { lighttpd_binary_analysis() { sub_module_title "Lighttpd binary analysis" - local LIGHTTP_BIN_ARR="${@}" + local LIGHTTP_BIN_ARR=("${@}") export LIGHT_VERSIONS=() if [[ -f "$CSV_DIR/s09_firmware_base_version_check.csv" ]] && grep -q "lighttpd" "$CSV_DIR"/s09_firmware_base_version_check.csv; then @@ -74,7 +74,6 @@ lighttpd_binary_analysis() { CSV_REGEX="$(echo "$VERSION_LINE" | cut -d\; -f5)" LIC="$(safe_echo "$VERSION_LINE" | cut -d\; -f3)" - BIN_NAME="$(safe_echo "$VERSION_LINE" | cut -d\; -f1)" VERSION_IDENTIFIER="$(safe_echo "$VERSION_LINE" | cut -d\; -f4)" VERSION_IDENTIFIER="${VERSION_IDENTIFIER/\"}" VERSION_IDENTIFIER="${VERSION_IDENTIFIER%\"}" @@ -137,7 +136,7 @@ lighttpd_binary_analysis() { lighttpd_config_analysis() { local LIGHTTPD_CONFIG="${1:-}" shift - local LIGHT_VERSIONS="${@}" + local LIGHT_VERSIONS=("${@}") local SSL_ENABLED=0 if ! [[ -f "$LIGHTTPD_CONFIG" ]]; then