Description

Jann Horn reported a MySQL injection vulnerability in lighttpd (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs:

  • request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: 
    •   GET /etc/passwd HTTP/1.1
  Host: [::1]' UNION SELECT '/


    

  •  mod_mysql_vhost doesn't perform any quoting; it just replaces ? in
  the query string with the hostname.
    •

mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.

Remediation

Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.

References

lighttpd 1.4.34 SQL injection and path traversal CVE request

mod_mysql_vhost SQL injection

Related Vulnerabilities

WordPress Plugin WishList Member X SQL Injection (3.25.1)

WordPress Plugin WordPress Automatic 'q' Parameter SQL Injection (2.0.3)

WordPress Plugin myLinksDump 'url' Parameter SQL Injection (1.2)

WordPress Plugin Wordspew 'id' Parameter SQL Injection (1.16)

WordPress Plugin WP Coder-add custom html, css and js code SQL Injection (2.5.3)

Severity

High

Classification

CVE-2014-2323 CVE-2014-2324 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal SQL Injection