Bugzilla – Bug 867350
VUL-0: CVE-2014-2323 CVE-2014-2324: lighttpd: SQL injection
Last modified: 2015-02-28 16:00:07 UTC
EMBARGOED, via distros From: Stefan Bühler <stbuehler@lighttpd.net> Subject: ***UNCHECKED*** [vs] lighttpd 1.4.34 SQL injection CVE request + patch Date: Fri, 7 Mar 2014 13:17:09 +0100 Hi, Jann Horn reported a MySQL injection vulnerability in lighttpd [1] (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs: * request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/ * mod_mysql_vhost doesn't perform any quoting; it just replaces ? in the query string with the hostname. mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). mod_status, mod_webdav and a global redirect handler use the host name without escaping too; in this case the client just gets the broken data back - the attacker doesn't gain anything here. Could you please assign a CVE id? Should we consider the path traversal in mod_evhost / mod_simple_vhost a real vulnerability too? In any case we'd like to publish this on Wed, 12 Mar 2014 12:00:00 UTC. Our advisory will be published at http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt Draft for advisory and patch are attached. The next release (1.4.35) will include this and other fixes. Kind regards, Stefan References: * [1] http://www.lighttpd.net/ -- GPG fingerprints (not sure whether they get through): stbuehler@lighttpd.net: C7CA 1E9E 29DC 77F5 4808 94B2 E0E7 D017 1E95 BAD7
Created attachment 581370 [details] lighttpd_sa_2014_01.txt advisory draft from lighttpd
Created attachment 581371 [details] lighttpd-1.4.34_fix_mysql_injection.patch suggested patch
CRD March 12th 1200UTC
bugbot adjusting priority
is public now.
The SWAMPID for this issue is 56638. This issue was rated as important. Please submit fixed packages until 2014-03-19. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: lighttpd
From: cve-assign@mitre.org The number of CVEs doesn't necessarily depend on the number of changes that were required to address the reported attacks; instead, the number of CVEs can depend on whether issues could have been fixed independently. For example, the HTTP protocol specification doesn't require that a server validate that the Host header has the expected "host" or "host:port" syntax and otherwise send an error status code. If that were required, then there would only be one CVE. Here, the issues could have been fixed independently, e.g., SQL injection fixed in mod_mysql_vhost.c, and then directory traversal fixed in the mod_simple_vhost_docroot function in mod_simple_vhost.c and the mod_evhost_parse_host function in mod_evhost.c. This could conceivably have been chosen if someone wanted mod_simple_vhost.c/mod_evhost.c to have access to the original string (maybe anticipating that "Host: host/pathname" could become meaningful for vhosts in a future HTTP protocol revision, or whatever). So, there are two CVE assignments: SQL injection - use CVE-2014-2323 path traversal - use CVE-2014-2324
Darix, any news here? The due date for submission is 2014-03-19. Thanks in advance.
submitted for all products
This is an autogenerated message for OBS integration: This bug (867350) was mentioned in https://build.opensuse.org/request/show/226644 13.1+12.3 / lighttpd
openSUSE-SU-2014:0449-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 867350 CVE References: CVE-2014-2323,CVE-2014-2324 Sources used: openSUSE 13.1 (src): lighttpd-1.4.35-2.9.1 openSUSE 12.3 (src): lighttpd-1.4.35-6.9.1
Update released for: lighttpd, lighttpd-debuginfo, lighttpd-debugsource, lighttpd-mod_cml, lighttpd-mod_magnet, lighttpd-mod_mysql_vhost, lighttpd-mod_rrdtool, lighttpd-mod_trigger_b4_dl, lighttpd-mod_webdav Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-HAE 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0474-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 867350 CVE References: CVE-2014-2323,CVE-2014-2324 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): lighttpd-1.4.20-2.54.1 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): lighttpd-1.4.20-2.54.1
openSUSE-SU-2014:0496-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 867350 CVE References: CVE-2014-2323,CVE-2014-2324 Sources used: openSUSE 11.4 (src): lighttpd-1.4.35-41.1
all packages were fixed
This is an autogenerated message for OBS integration: This bug (867350) was mentioned in https://build.opensuse.org/request/show/288228 Factory / lighttpd