Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
BID:25622
Info
Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
| Bugtraq ID: | 25622 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-4727 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 10 2007 12:00AM |
| Updated: | Mar 19 2015 09:43AM |
| Credit: | Mattias Bengtsson <[email protected]> and Philip Olausson <[email protected]> discovered this issue. |
| Vulnerable: |
SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE openSUSE 10.3 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 Red Hat Fedora Core7 lighttpd lighttpd 1.4.17 lighttpd lighttpd 1.4.16 lighttpd lighttpd 1.4.15 lighttpd lighttpd 1.4.14 lighttpd lighttpd 1.4.13 lighttpd lighttpd 1.4.12 lighttpd lighttpd 1.4.11 lighttpd lighttpd 1.4.10 lighttpd lighttpd 1.4.9 lighttpd lighttpd 1.4.8 lighttpd lighttpd 1.4.7 lighttpd lighttpd 1.4.6 lighttpd lighttpd 1.4.5 lighttpd lighttpd 1.4.4 lighttpd lighttpd 1.4.3 lighttpd lighttpd 1.4.2 lighttpd lighttpd 1.4.1 lighttpd lighttpd 1.4 lighttpd lighttpd 1.3.10 lighttpd lighttpd 1.3.8 lighttpd lighttpd 1.3.7 lighttpd lighttpd 1.4.10a Gentoo Linux Foresight Linux Foresight Linux 1.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 |
| Not Vulnerable: |
lighttpd lighttpd 1.4.18 |
Discussion
Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
Lighttpd is prone to a remote header-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it.
An attacker may exploit this issue to overwrite PHP headers such as 'SCRIPT_FILENAME'. This may allow the attacker to execute to script code, obtain sensitive information, and launch other attacks. Exploiting this issue may also aid in the remote compromise of an affected computer.
Lighttpd 1.4.17 is vulnerable; prior versions may also be affected.
Lighttpd is prone to a remote header-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it.
An attacker may exploit this issue to overwrite PHP headers such as 'SCRIPT_FILENAME'. This may allow the attacker to execute to script code, obtain sensitive information, and launch other attacks. Exploiting this issue may also aid in the remote compromise of an affected computer.
Lighttpd 1.4.17 is vulnerable; prior versions may also be affected.
Exploit / POC
Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploits demonstrate this issue:
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploits demonstrate this issue:
Solution / Fix
Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
Solution:
The vendor has released Lighttpd 1.4.18 to address this issue. Please see the references for more information.
lighttpd lighttpd 1.4.10a
lighttpd lighttpd 1.3.10
lighttpd lighttpd 1.3.7
lighttpd lighttpd 1.3.8
lighttpd lighttpd 1.4
lighttpd lighttpd 1.4.1
lighttpd lighttpd 1.4.10
lighttpd lighttpd 1.4.11
lighttpd lighttpd 1.4.12
lighttpd lighttpd 1.4.13
lighttpd lighttpd 1.4.14
lighttpd lighttpd 1.4.15
lighttpd lighttpd 1.4.16
lighttpd lighttpd 1.4.17
lighttpd lighttpd 1.4.2
lighttpd lighttpd 1.4.3
lighttpd lighttpd 1.4.4
lighttpd lighttpd 1.4.5
lighttpd lighttpd 1.4.6
lighttpd lighttpd 1.4.7
lighttpd lighttpd 1.4.8
lighttpd lighttpd 1.4.9
Solution:
The vendor has released Lighttpd 1.4.18 to address this issue. Please see the references for more information.
lighttpd lighttpd 1.4.10a
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.3.10
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.3.7
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.3.8
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.1
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.10
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.11
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.12
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.13
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.14
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.15
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.16
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.17
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.2
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.3
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.4
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.5
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.6
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.7
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.8
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
lighttpd lighttpd 1.4.9
-
lighttpd lighttpd-1.4.18.tar.bz2
http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2
References
Lighttpd Mod_FastCGI Request Headers Remote Header Overflow Vulnerability
References:
References:
- lighttpd Home Page (lighttpd)
- FastCGI header overrun in mod_fastcgi (Lighttpd)
- Lighttpd FastCGI Remote Vulnerability (secweb.se)