Hi, Jann Horn reported a MySQL injection vulnerability in lighttpd [1] (a lightweight webserver) version 1.4.34 (and earlier) through a combination of two bugs: * request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example: GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/ * mod_mysql_vhost doesn't perform any quoting; it just replaces ? in the query string with the hostname. mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too. mod_status, mod_webdav and a global redirect handler use the host name without escaping too; in this case the client just gets the broken data back - the attacker doesn't gain anything here. See our advisory for more details: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt I requested a CVE on distros, but Kurt wasn't sure whether one or multiple CVE ids should be assigned, and had some questions: --- On Tue, 11 Mar 2014 14:58:53 -0600 Kurt Seifried <kseifried () redhat com> wrote: [...] This appears to be a messy CVE in the sense of intersecting vulnerabilities, but it looks like we also have multiple vulns: 1) request_check_hostname filtering Yes. 2) mod_mysql_vhost doesn't perform any quoting - is there any way to get data to it beyond the request_check_hostname? (I'm guessing no known ways, but maybe in future one is found?) It only uses the hostname as "input", and I can think of only 3 sources: * Host: header * request line: METHOD scheme://hostname/... HTTP/1.1 * config file I think the first two get validated with request_check_hostname. 3) mod_evhost and mod_simple_vhost are potentially vuln as well - this one seems less likely as you need the specific config pattern for the directory, so request_check_hostname should be the only concern right? Actually if you have "vhost" directories (or a user can create them) like "[::]" (or real IPv6 addresses) they both are vulnerable to path traversal. 4) mod_status, mod_webdav and a global redirect handler use the host name without escaping too; in this case the client just gets the broken data back - the attacker doesn't gain anything here. can #4 be used for anything like HTTP response splitting? XSS? In this case the HTTP request would already be splitted afaics. --- Imho the main bug is in request_check_hostname; it doesn't seem wrong for a module to rely on valid hostnames. They don't read it from the HTTP header list but use a special variable "uri.authority". While we added hardening (quoting) in the mysql module, we did not harden mod_evhost and mod_simple_vhost - they'll be relying on request_check_hostname. Could you please assign one or multiple CVE ids? Regards, Stefan