Bug 932286 (CVE-2015-3200) - VUL-1: CVE-2015-3200: lighttpd: log injection via malformed base64 string in Authentication header
Summary: VUL-1: CVE-2015-3200: lighttpd: log injection via malformed base64 string in ...
Status: RESOLVED FIXED
Alias: CVE-2015-3200
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/117067/
Whiteboard: CVSSv2:RedHat:CVE-2015-3200:5.0:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-26 09:42 UTC by Alexander Bergmann
Modified: 2017-07-07 13:47 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-05-26 09:42:41 UTC 
rh#1224909

A flaw was found in Lighttpd:

When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding.

For example header "Authorization: Basic dGVzdAAKMjEwMC0wMS0wMSAwMDowMDowMDogKG1hZ2ljLmMuODU5KSBJVCdTIFRIRSBFTkQgT0YgVEhFIFdPUkxEIQ==" results in two log lines:

"
2015-05-14 12:55:54: (http_auth.c.859) : is missing in test
2100-01-01 00:00:00: (magic.c.859) IT'S THE END OF THE WORLD
"

Upstream issue:

http://redmine.lighttpd.net/issues/2646

External References:

http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1224909
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3200
http://seclists.org/oss-sec/2015/q2/542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3200
Comment 1 Swamp Workflow Management 2015-05-26 22:00:46 UTC 
bugbot adjusting priority
Comment 3 Forgotten User 97vi__g7qo 2016-12-24 19:45:36 UTC 
please update lighttpd package to lighttpd 1.4.44
openFATE: https://features.opensuse.org/322299
Comment 4 Marcus Rückert 2017-03-06 14:06:54 UTC 
Leap: Using target project 'openSUSE:Maintenance' MR#477281
Comment 5 Marcus Rückert 2017-03-07 10:35:46 UTC 
SLE 11: created request id 128820

SLE 12: created request id 128821
Comment 9 Swamp Workflow Management 2017-03-17 17:12:43 UTC 
SUSE-SU-2017:0728-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 932286,981347,990847
CVE References: CVE-2015-3200,CVE-2016-1000212
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    lighttpd-1.4.35-3.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    lighttpd-1.4.35-3.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    lighttpd-1.4.35-3.1
Comment 10 Swamp Workflow Management 2017-03-17 17:14:37 UTC 
SUSE-SU-2017:0731-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 932286,981347,990847
CVE References: CVE-2015-3200,CVE-2016-1000212
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    lighttpd-1.4.20-2.58.1
SUSE Linux Enterprise Server for SAP 11-SP4 (src):    lighttpd-1.4.20-2.58.1
SUSE Linux Enterprise High Availability Extension 11-SP4 (src):    lighttpd-1.4.20-2.58.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    lighttpd-1.4.20-2.58.1
Comment 11 Johannes Segitz 2017-07-07 13:47:07 UTC 
released