- Jann Horn reported a MySQL injection vulnerability in lighttpd (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs: <br/> <ul> <li> request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: </li> <pre> GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/ <pre><br/> <li> mod_mysql_vhost doesn't perform any quoting; it just replaces ? in the query string with the hostname.</li> </ul><br/> mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "/../../../" leads to document root of "/var/www//../../../", but as "/var/www/" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too. <br/>
- Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.
- WordPress Plugin Relevanssi-A Better Search SQL Injection (3.6.0)
- WordPress Plugin Contus HD FLV Player 'process-sortable.php' SQL Injection (1.3)
- WordPress Plugin WP-Stats-Dashboard SQL Injection (2.9.4)
- WordPress Plugin WP-StarsRateBox 'j' Parameter SQL Injection (1.1)
- WordPress Plugin WordPress SEO by Yoast SQL Injection (184.108.40.206)