lighttpd v1.4.34 SQL injection and path traversal
Description
Lighttpd version 1.4.34 and earlier contains two critical vulnerabilities that can be exploited in combination. The first vulnerability exists in the request_check_hostname function, which improperly validates HTTP Host headers by accepting malformed IPv6 addresses followed by arbitrary characters (except colons). The second vulnerability is in mod_mysql_vhost, which fails to sanitize user input before inserting it into SQL queries, directly replacing '?' placeholders with the unsanitized hostname. When combined, these flaws allow attackers to inject malicious SQL commands through specially crafted Host headers. Additionally, mod_evhost and mod_simple_vhost are vulnerable to path traversal attacks when processing malformed IPv6 hostnames, potentially allowing access to files outside the intended document root if specific directory structures exist.
Remediation
Immediately upgrade to lighttpd version 1.4.35 or later, which addresses both CVE-2014-2323 (SQL injection) and CVE-2014-2324 (path traversal). If immediate upgrading is not possible, disable the vulnerable modules by removing or commenting out the following directives in your lighttpd.conf:
server.modules -= ( "mod_mysql_vhost" ) server.modules -= ( "mod_evhost" ) server.modules -= ( "mod_simple_vhost" )
After making configuration changes, restart the lighttpd service. If mod_mysql_vhost functionality is required and upgrading is delayed, implement a reverse proxy (such as nginx or Apache) in front of lighttpd with strict Host header validation to filter malicious requests. Verify the fix by testing that malformed Host headers like "[::1]' UNION SELECT '/" are properly rejected. Review application logs for any suspicious Host header patterns that may indicate prior exploitation attempts.