Description
Jann Horn reported a MySQL injection vulnerability in lighttpd (a
lightweight webserver) version 1.4.34 (and earlier) through a
combination of two bugs:
- request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example:
GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/
mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.
Remediation
Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.
References
Related Vulnerabilities
WordPress Plugin WishList Member X SQL Injection (3.25.1)
WordPress Plugin WordPress Automatic 'q' Parameter SQL Injection (2.0.3)
WordPress Plugin myLinksDump 'url' Parameter SQL Injection (1.2)
WordPress Plugin Wordspew 'id' Parameter SQL Injection (1.16)
WordPress Plugin WP Coder-add custom html, css and js code SQL Injection (2.5.3)