Description
Jann Horn reported a MySQL injection vulnerability in lighttpd (a
lightweight webserver) version 1.4.34 (and earlier) through a
combination of two bugs:
- request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example:
GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/
mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.
Remediation
Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.
References
Related Vulnerabilities
WordPress Plugin Traffic Analyzer SQL Injection (3.4.2)
WordPress Plugin Surveys SQL Injection (1.01.8)
WordPress Plugin Media Search Enhanced SQL Injection (0.6.0)
WordPress Plugin My Category Order 'parentID' Parameter SQL Injection (2.8)
WordPress Plugin Podlove Podcast Publisher SQL Injection (2.5.3)