From ${URL} : Description ------------- Jann Horn <jann@thejh.net> reported a MySQL injection vulnerability through a combination of two bugs: * request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/ * mod_mysql_vhost doesn't perform any quoting; it just replaces ? in the query string with the hostname. mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too. mod_status, mod_webdav and a global redirect handler use the host name without escaping too; in these cases the client just gets the broken data back - the attacker doesn't gain anything here. Detailed analysis ------------------- Quoting the report from Jann Horn: > Have a look at this special case of request_check_hostname in request.c: [ see http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/tree/src/request.c?id=lighttpd-1.4.34#n41 ] > So, when the hostname starts with a '[', only this block of code validates the > user-supplied hostname. First, the code incorrectly commented with > "/* check portnumber */" checks that until ']', only something resembling an > IPv6 address can appear. Then it is checked that the hostname is correctly > terminated with a ']'. But then, it only validates that a correct port number > follows if the next char is a ':'. If the next char is anything else, the rest > of the Host header is not subjected to any kind of check before being stored > into con->uri.authority. > In a lighttpd without anything special, this already means that an attacker can > sneak spaces into the logfile, potentially confusing logfile parsers. However, > it gets really interesting when the server uses mod_mysql_vhost (not > mod_simple_vhost or mod_evhost): con->uri.authority is inserted into an SQL > query without any escaping, allowing the attacker to control what the database > responds with - and the response of the database is then taken as document > root. Therefore, an attacker can change the document root to / for his request > and thereby effectively perform directory traversal. If one wants to search for uses of con->uri.authority one should also search for con->server_name. Affected versions ------------------- All versions up to and including 1.4.34. Patch ------- See http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.34_fix_mysql_injection.patch Fixed in ---------- 1.4.x: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2959 1.4.35: https://www.lighttpd.net/2014/3/12/1.4.35/ Solutions or workaround ------------------------- * Disable mod_mysql_vhost. * Don't use mod_evhost or mod_simple_vhost for IPv6 addresses as host names (i.e. don't have and don't allow creation of "[...]" directories in the base directories) References ------------ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-???? - not assigned yet [2] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2959/diff/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
1.4.35 is in the tree. Please allow a few days for people to try it before you CC arches.
CVE-2014-2323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2323): SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
Arches, please test and mark stable: =www-servers/lighttpd-1.4.35 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
arm stable
x86 stable
ppc stable
alpha stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
+ 06 Jun 2014; Mikle Kolyada <zlogene@gentoo.org> -lighttpd-1.4.32-r3.ebuild, + -lighttpd-1.4.34.ebuild: + Drop insecure versions + Added to existing glsa draft.
This issue was resolved and addressed in GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml by GLSA coordinator Sergey Popov (pinkbyte).