According to its banner, the version of lighttpd running on the remote host is 1.4.31. It is, therefore, affected by a denial of service vulnerability. An error in the http_request_split_value() function in 'src/request.c' can cause the application to enter an endless loop when handling specially crafted 'Connection' header requests.

Note that the scanner has not tested for this issue but has instead relied only on the version in the server's banner.

Lighttpd security advisory reports :

Certain Connection header values will trigger an endless loop, for example : 'Connection: TE,,Keep-Alive'

On receiving such value, lighttpd will enter an endless loop, detecting an empty token but not incrementing the current string position, and keep reading the ',' again and again.

This bug was introduced in 1.4.31, when we fixed an 'invalid read' bug (it would try to read the byte before the string if it started with ',', although the value wasn't actually used).

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote user to cause a denial of service condition in lighttpd. A client could send a malformed Connection header to lighttpd (such as 'Connection: TE,,Keep-Alive'), which would cause lighttpd to enter an endless loop, detecting an empty token but not incrementing the current string position, causing it to continually read ',' over and over.

This flaw was introduced in 1.4.31 [1] when an 'invalid read' bug was fixed [2].

[1] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/283 0/diff/ [2] http://redmine.lighttpd.net/issues/2413

Acknowledgement :

Red Hat would like to thank Stefan Buhler for reporting this issue.
Upstream acknowledges Jesse Sipprell from McClatchy Interactive, Inc.
as the original reporter.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the 'Connection: TE,,Keep-Alive' header.

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the Connection: TE,,Keep-Alive header (CVE-2012-5533).

The remote host is affected by the vulnerability described in GLSA-201406-10 (lighttpd: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in lighttpd. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could create a Denial of Service condition.
      Futhermore, a remote attacker may be able to execute arbitrary SQL       statements.
  Workaround :

    There is no known workaround at this time.

According to its banner, the version of lighttpd running on the remote host is 1.4.31. It is, therefore, affected by a denial of service vulnerability. An error in the http_request_split_value() function in 'src/request.c' can cause the application to enter an endless loop when handling specially crafted 'Connection' header requests.

Note that Nessus has not tested for this issue but has instead relied only on the version in the server's banner.

- Fixing bnc#790258 CVE-2012-5533: Denial of Service via     specially crafted HTTP header. Added patches:
    0001-Fix-DoS-in-header-value-split-reported-by-Jesse-Sip     p.patch     0001-remove-whitespace-at-end-of-header-keys.patch

ID	Name	Product	Family	Published	Updated	Severity
112356	lighttpd 1.4.31 http_request_split_value Function Header Handling DoS	Web App Scanning	Component Vulnerability	11/5/2018	3/14/2023	high
63016	FreeBSD : lighttpd -- remote DoS in header parsing (1cd3ca42-33e6-11e2-a255-5404a67eef98)	Nessus	FreeBSD Local Security Checks	11/23/2012	1/6/2021	medium
69775	Fedora 19 : lighttpd-1.4.32-1.fc19 (2013-15345)	Nessus	Fedora Local Security Checks	9/4/2013	1/11/2021	medium
69738	Amazon Linux AMI : lighttpd (ALAS-2013-179)	Nessus	Amazon Linux Local Security Checks	9/4/2013	4/18/2018	medium
66112	Mandriva Linux Security Advisory : lighttpd (MDVSA-2013:100)	Nessus	Mandriva Local Security Checks	4/20/2013	1/6/2021	medium
76062	GLSA-201406-10 : lighttpd: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	6/16/2014	1/6/2021	high
63094	lighttpd 1.4.31 http_request_split_value Function Header Handling DoS	Nessus	Web Servers	11/29/2012	7/12/2018	medium
74819	openSUSE Security Update : lighttpd (openSUSE-SU-2012:1532-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	medium
69774	Fedora 18 : lighttpd-1.4.32-1.fc18 (2013-15344)	Nessus	Fedora Local Security Checks	9/4/2013	1/11/2021	medium

Detections

Analytics

Plugins Search

high

medium

medium

medium

medium

high

medium

medium

medium