Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504330 (CVE-2014-2323) - <www-servers/lighttpd-1.4.35 : sql injection and directory traversal (CVE-2014-2323)
Summary: <www-servers/lighttpd-1.4.35 : sql injection and directory traversal (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2014-2323
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://download.lighttpd.net/lighttpd...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-12 16:06 UTC by Agostino Sarubbo
Modified: 2014-06-13 20:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-12 16:06:15 UTC
From ${URL} :

 Description
-------------

Jann Horn <jann@thejh.net> reported a MySQL injection vulnerability through 
a combination of two bugs:

* request_check_hostname is too lax: it allows any host names starting with
  [ipv6-address] followed by anything but a colon, for example:

  GET /etc/passwd HTTP/1.1
  Host: [::1]' UNION SELECT '/

* mod_mysql_vhost doesn't perform any quoting; it just replaces ? in the 
  query string with the hostname.


mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a 
pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" 
leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" 
usually doesn't exists this fails (this might depend on the operating 
system in use).
If there exist directories like "/var/www/[...]" for IPv6 addresses as 
host names (or a user can create them) mod_evhost and mod_simple_vhost 
are vulnerable too.

mod_status, mod_webdav and a global redirect handler use the host name 
without escaping too; in these cases the client just gets the broken data 
back - the attacker doesn't gain anything here.

 Detailed analysis
-------------------

Quoting the report from Jann Horn:
> Have a look at this special case of request_check_hostname in request.c:
[ see http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/tree/src/request.c?id=lighttpd-1.4.34#n41 ]
> So, when the hostname starts with a '[', only this block of code validates the 
> user-supplied hostname. First, the code incorrectly commented with 
> "/* check portnumber */" checks that until ']', only something resembling an 
> IPv6 address can appear. Then it is checked that the hostname is correctly 
> terminated with a ']'. But then, it only validates that a correct port number 
> follows if the next char is a ':'. If the next char is anything else, the rest 
> of the Host header is not subjected to any kind of check before being stored 
> into con->uri.authority.

> In a lighttpd without anything special, this already means that an attacker can 
> sneak spaces into the logfile, potentially confusing logfile parsers. However, 
> it gets really interesting when the server uses mod_mysql_vhost (not 
> mod_simple_vhost or mod_evhost): con->uri.authority is inserted into an SQL 
> query without any escaping, allowing the attacker to control what the database 
> responds with - and the response of the database is then taken as document 
> root. Therefore, an attacker can change the document root to / for his request 
> and thereby effectively perform directory traversal.

If one wants to search for uses of con->uri.authority one should also search 
for con->server_name.

 Affected versions
-------------------

All versions up to and including 1.4.34.

 Patch
-------

See http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.34_fix_mysql_injection.patch

 Fixed in
----------

1.4.x: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2959
1.4.35: https://www.lighttpd.net/2014/3/12/1.4.35/

 Solutions or workaround
-------------------------

* Disable mod_mysql_vhost.
* Don't use mod_evhost or mod_simple_vhost for IPv6 addresses as host names
  (i.e. don't have and don't allow creation of "[...]" directories in the
  base directories)

 References
------------

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-???? - not assigned yet
[2] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2959/diff/



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2014-03-12 18:10:53 UTC
1.4.35 is in the tree. Please allow a few days for people to try it before you CC arches.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-03-27 11:37:11 UTC
CVE-2014-2323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2323):
  SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35
  allows remote attackers to execute arbitrary SQL commands via the host name,
  related to request_check_hostname.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-27 12:15:53 UTC
Arches, please test and mark stable:

=www-servers/lighttpd-1.4.35

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-28 03:30:03 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-28 18:26:29 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2014-04-01 19:00:08 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-04-12 09:33:41 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-04-13 11:08:10 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-04-21 10:50:39 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-11 08:10:15 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:34 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:34 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-06 12:27:21 UTC
+  06 Jun 2014; Mikle Kolyada <zlogene@gentoo.org> -lighttpd-1.4.32-r3.ebuild,
+  -lighttpd-1.4.34.ebuild:
+  Drop insecure versions
+

Added to existing glsa draft.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:17 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).