Description

Jann Horn reported a MySQL injection vulnerability in lighttpd (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs:

  • request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: 
    •   GET /etc/passwd HTTP/1.1
  Host: [::1]' UNION SELECT '/


    

  •  mod_mysql_vhost doesn't perform any quoting; it just replaces ? in
  the query string with the hostname.
    •

mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.

Remediation

Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.

References

lighttpd 1.4.34 SQL injection and path traversal CVE request

mod_mysql_vhost SQL injection

Related Vulnerabilities

WordPress Plugin Wow Forms-create any form with custom style SQL Injection (2.1)

WordPress Plugin Giveaway SQL Injection (1.2.2)

WordPress Plugin WordPress Automatic SQL Injection (3.92.0)

WordPress Plugin WP Business Intelligence Lite SQL Injection (1.6.1)

WordPress Plugin Wow Forms-create any form with custom style SQL Injection (3.1.3)

Severity

High

Classification

CVE-2014-2323 CVE-2014-2324 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal SQL Injection