Description
Jann Horn reported a MySQL injection vulnerability in lighttpd (a
lightweight webserver) version 1.4.34 (and earlier) through a
combination of two bugs:
- request_check_hostname is too lax: it allows any host names starting with [ipv6-address] followed by anything but a colon, for example:
GET /etc/passwd HTTP/1.1 Host: [::1]' UNION SELECT '/
mod_evhost and mod_simple_vhost are vulnerable in a limited way too; a pattern: evhost.path-pattern = "/var/www/%0/" with a host "[]/../../../" leads to document root of "/var/www/[]/../../../", but as "/var/www/[]" usually doesn't exists this fails (this might depend on the operating system in use). If there exist directories like "/var/www/[...]" for IPv6 addresses as host names (or a user can create them) mod_evhost and mod_simple_vhost are vulnerable too.
Remediation
Upgrade to the latest version of lighttpd or disable mod_mysql_vhost.
References
Related Vulnerabilities
WordPress Plugin Booking Calendar Directory Traversal (7.0)
WordPress Plugin Mail Masta Multiple SQL Injection Vulnerabilities (1.0)
WordPress Plugin Store Locator Plus for WordPress Multiple Vulnerabilities (3.0.1)
WordPress Plugin Download Manager Directory Traversal (3.2.54)
WordPress Plugin Visual Email Designer for WooCommerce SQL Injection (1.7.1)