Description

Jann Horn reported a MySQL injection vulnerability in lighttpd (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs:

  • request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: 
    •   GET /etc/passwd HTTP/1.1
  Host: [::1]' UNION SELECT '/


    

  •  mod_mysql_vhost doesn't perform any quoting; it just replaces ? in
  the query string with the hostname.
    •

mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.

Remediation

Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.

References

lighttpd 1.4.34 SQL injection and path traversal CVE request

mod_mysql_vhost SQL injection

Related Vulnerabilities

WordPress Plugin WooCommerce Multiple Vulnerabilities (2.3.5)

WordPress Plugin WordPress Page Contact SQL Injection (1.0)

WordPress Plugin Gallery-Video Gallery and Youtube Gallery SQL Injection (2.0.9)

Joomla! Core Directory Traversal (2.5.0 - 3.9.20)

WordPress Plugin WonderPlugin Audio Player Multiple Vulnerabilities (2.0)

Severity

High

Classification

CVE-2014-2323 CVE-2014-2324 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal SQL Injection