Jann Horn reported a MySQL injection vulnerability in lighttpd (a
lightweight webserver) version 1.4.34 (and earlier) through a
combination of two bugs:
- request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example:
GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/
mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "/../../../" leads to document root of "/var/www//../../../", but as "/var/www/" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.
Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.
WordPress Plugin RSVPMaker SQL Injection (7.8.1)
WordPress Plugin WordPress WP-Advanced-Search SQL Injection (3.3.6)
WordPress Plugin WP User-Custom Registration Forms, Login and User Profile Multiple Vulnerabilities (7.0)
WordPress Plugin Users Ultra SQL Injection (1.4.35)
WordPress Plugin Newsletter by Supsystic SQL Injection (1.5.5)