The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

According to its banner, the version of lighttpd running on the remote host is 1.4.31. It is, therefore, affected by a denial of service vulnerability. An error in the http_request_split_value() function in 'src/request.c' can cause the application to enter an endless loop when handling specially crafted 'Connection' header requests.

Note that the scanner has not tested for this issue but has instead relied only on the version in the server's banner.

The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in lighttpd. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could create a Denial of Service condition.
      Futhermore, a remote attacker may be able to execute arbitrary SQL       statements.
  Workaround :

    There is no known workaround at this time.

- Fixing bnc#790258 CVE-2012-5533: Denial of Service via     specially crafted HTTP header. Added patches:
    0001-Fix-DoS-in-header-value-split-reported-by-Jesse-Sip     p.patch     0001-remove-whitespace-at-end-of-header-keys.patch

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as 'Connection: TE,,Keep-Alive'), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an 'invalid read' bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/283 0/diff/ [2] http://redmine.lighttpd.net/issues/2413

Acknowledgement :

Red Hat would like to thank Stefan Buhler for reporting this issue.
Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc.
as the original reporter.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the 'Connection: TE,,Keep-Alive' header.

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the Connection: TE,,Keep-Alive header (CVE-2012-5533).

According to its banner, the version of lighttpd running on the remote host is 1.4.31. It is, therefore, affected by a denial of service vulnerability. An error in the http_request_split_value() function in 'src/request.c' can cause the application to enter an endless loop when handling specially crafted 'Connection' header requests.

Note that Nessus has not tested for this issue but has instead relied only on the version in the server's banner.

Lighttpd security advisory reports :

Certain Connection header values will trigger an endless loop, for example : 'Connection: TE,,Keep-Alive'

On receiving such value, lighttpd will enter an endless loop, detecting an empty token but not incrementing the current string position, and keep reading the ',' again and again.

This bug was introduced in 1.4.31, when we fixed an 'invalid read' bug (it would try to read the byte before the string if it started with ',', although the value wasn't actually used).

ID	Name	Product	Family	Severity
112356	lighttpd 1.4.31 http_request_split_value Function Header Handling DoS	Web App Scanning	Component Vulnerability	high
76062	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
74819	openSUSE Security Update : lighttpd (openSUSE-SU-2012:1532-1)	Nessus	SuSE Local Security Checks	medium
69775	Fedora 19 : lighttpd-1.4.32-1.fc19 (2013-15345)	Nessus	Fedora Local Security Checks	medium
69774	Fedora 18 : lighttpd-1.4.32-1.fc18 (2013-15344)	Nessus	Fedora Local Security Checks	medium
69738	Amazon Linux AMI : lighttpd (ALAS-2013-179)	Nessus	Amazon Linux Local Security Checks	medium
66112	Mandriva Linux Security Advisory : lighttpd (MDVSA-2013:100)	Nessus	Mandriva Local Security Checks	medium
63094	lighttpd 1.4.31 http_request_split_value Function Header Handling DoS	Nessus	Web Servers	medium
63016	FreeBSD : lighttpd -- remote DoS in header parsing (1cd3ca42-33e6-11e2-a255-5404a67eef98)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-5533

high

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium

medium