[v2.7] lighttpd: mod_mysql_vhost SQL injection (CVE-2014-2323, CVE-2014-2324)
Jann Horn <firstname.lastname@example.org>reported a MySQL injection
a combination of two bugs:
- request_check_hostname is too lax: it allows any host names
[ipv6-address] followed by anything but a colon, for example:
GET /etc/passwd HTTP/1.1
Host: [::1]’ UNION SELECT ’/
- mod_mysql_vhost doesn’t perform any quoting; it just replaces ? in
query string with the hostname.
mod_evhost and mod_simple_vhost are vulnerable in a limited way too;
pattern: evhost.path-pattern = “/var/www/%0/” with a host “/../../../”
leads to document root of “/var/www//../../../”, but as “/var/www/”
usually doesn’t exists this fails (this might depend on the operating
system in use).
If there exist directories like “/var/www/[…]” for IPv6 addresses as
host names (or a user can create them) mod_evhost and mod_simple_vhost
are vulnerable too.
mod_status, mod_webdav and a global redirect handler use the host
without escaping too; in these cases the client just gets the broken data
back - the attacker doesn’t gain anything here.
Quoting the report from Jann Horn:
Have a look at this special case of request_check_hostname in request.c:
[ see http://git.lighttpd.net/lighttpd/lighttpd-1.x.git/tree/src/request.c?id=lighttpd-1.4.34\#n41 ]
So, when the hostname starts with a ‘[’, only this block of code validates the
user-supplied hostname. First, the code incorrectly commented with
“/* check portnumber */” checks that until ‘]’, only something resembling an
IPv6 address can appear. Then it is checked that the hostname is correctly
terminated with a ‘]’. But then, it only validates that a correct port number
follows if the next char is a ‘:’. If the next char is anything else, the rest
of the Host header is not subjected to any kind of check before being stored
In a lighttpd without anything special, this already means that an attacker can
sneak spaces into the logfile, potentially confusing logfile parsers. However,
it gets really interesting when the server uses mod_mysql_vhost (not
mod_simple_vhost or mod_evhost): con->uri.authority is inserted into an SQL
query without any escaping, allowing the attacker to control what the database
responds with - and the response of the database is then taken as document
root. Therefore, an attacker can change the document root to / for his request
and thereby effectively perform directory traversal.
If one wants to search for uses of con->uri.authority one should also
All versions up to and including 1.4.34.
Solutions or workaround
- Disable mod_mysql_vhost.
- Don’t use mod_evhost or mod_simple_vhost for IPv6 addresses as
(i.e. don’t have and don’t allow creation of “[…]” directories in the
(from redmine: issue id 2763, created on 2014-03-13, closed on 2014-03-14)
- Revision 64308802 by Natanael Copa on 2014-03-13T10:34:50Z:
main/lighttpd: security upgrade to 1.4.35 (CVE-2014-2323,CVE-2014-2324) fixes #2763