The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Lighttpd: data corruption of mod_fastcgi

Synthesis of the vulnerability 

An attacker can use a long HTTP header in order to force mod_fastcgi module of Lighttpd to corrupt its data.
Impacted systems: Debian, Fedora, lighttpd, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity of this alert: 3/4.
Creation date: 13/09/2007.
Références of this alert: CERTA-2002-AVI-162, CVE-2007-4727, DSA-1362-2, FEDORA-2007-2132, SUSE-SR:2007:020, VIGILANCE-VUL-7169.

Description of the vulnerability 

The lighttpd program is a web server. Its mod_fastcgi module implements the FastCGI protocol.

A FastCGI application communicates with the web server:
 - HTTP headers and variables corresponding to user query are sent from the web server to the application
 - the generated page and errors are sent from the application to the web server
These exchanges use a binary protocol composed of packets:
 - 1 byte: version of FastCGI protocol
 - 1 byte: type of packet
 - 2 bytes: query identifier
 - 2 bytes: size of data
 - N bytes: data

The mod_fastcgi module does not check if size of data is over 64kbytes (2 bytes). An attacker can therefore send a long HTTP header in order to change protocol behaviour. Data longer than size modulo 64k are interpreted as next packet.

An attacker can thus inject FastCGI packets in order for example to redefine the SCRIPT_FILENAME variable, if PHP is used with FastCGI. If the SCRIPT_FILENAME variable indicates a file such as /etc/passwd, its content is thus displayed. Moreover, by loading Apache log file, where a command was previously injected, an attacker can execute PHP code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as Debian, Fedora, lighttpd, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat announce.

Solutions for this threat 

Lighttpd: version 1.4.18.
Version 1.4.18 is corrected:
  http://www.lighttpd.net/

Debian: new lighttpd packages (08/10/2007).
New packages are available:
Debian GNU/Linux 4.0 alias etch
amd64 architecture (AMD x86_64 (AMD64))
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 64016 eb011dc4ccd17d1894faa08871aa62d6
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 297074 f5003c131e1fd7a277ae003c429baa10
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 59410 01be5c483651d0fac93a2d68a71cd2c4
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 64360 1d712d6a59dfb479f3ec55e4bc68d7c2
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 70276 babe9aed7e17f4bfea149f5caf07055c
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_amd64.deb
    Size/MD5 checksum: 61180 fee215a88ad56aa4c70178d9a15c2ba4
i386 architecture (Intel ia32)
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 60422 4385f4062a56f93d2b43c5d8dc5e1801
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 63154 61b71c28b9f409b54267ece899d7186b
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 70446 bd9446d7cc7bebcb82179a4977f340a1
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 288830 4b56001c6caff859ec7a488b5ee04cdb
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 58750 20896c54601d55747aebc3026071ee44
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_i386.deb
    Size/MD5 checksum: 63354 d051b8711b74fd1e0d62d7fa09314dc4
ia64 architecture (Intel ia64)
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-cml_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 67238 998a3f058f3f29c39c14184af18ab205
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-mysql-vhost_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 60918 ada59b0c2899a525f1eaccb669844eeb
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 403236 4da29c552376f3797ab610d4b2a426c3
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-magnet_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 67094 61186f635ba15d848ebb96fbddfc0613
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-trigger-b4-dl_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 62794 e485c4e54eb1655d13966a3189188177
  http://security.debian.org/pool/updates/main/l/lighttpd/lighttpd-mod-webdav_1.4.13-4etch4_ia64.deb
    Size/MD5 checksum: 76802 1ad8da15de1b11eb9d59e2f442ed1b31

Fedora 7: new lighttpd packages.
New packages are available:
10a186bdb8c9a47f16c708d63d51f20efc5e4b42 lighttpd-fastcgi-1.4.18-1.fc7.ppc64.rpm
c60e37fa4b3a42d6da0116714955d401097b9340 lighttpd-1.4.18-1.fc7.ppc64.rpm
bd673b2a76dc9d5f4cae227be3675e2f07bd6a8f lighttpd-mod_mysql_vhost-1.4.18-1.fc7.ppc64.rpm
e84db23894b037196eec0c0b6abdb04e11925725 lighttpd-debuginfo-1.4.18-1.fc7.ppc64.rpm
890545f7dce17ccea1444fe2b33fcb6dadde9d1a lighttpd-debuginfo-1.4.18-1.fc7.i386.rpm
6e2e3d3e32c39d64556b920341b2ab25a57824ba lighttpd-fastcgi-1.4.18-1.fc7.i386.rpm
fc7b7a1449bb4e5dd7b6b6fda323b92bb602c25f lighttpd-mod_mysql_vhost-1.4.18-1.fc7.i386.rpm
5d470de19a7bee52b5238e26b0fd452b1c424fc8 lighttpd-1.4.18-1.fc7.i386.rpm
388073708e0ed17551cc01e7f34abaa66ab5f091 lighttpd-fastcgi-1.4.18-1.fc7.x86_64.rpm
af1f66dd36b1f0b3f7bb6121ea46347ff93ea8c7 lighttpd-debuginfo-1.4.18-1.fc7.x86_64.rpm
45ff6e353b45ebac9deb710a54f27314c94b8533 lighttpd-1.4.18-1.fc7.x86_64.rpm
807db4d7f0b2521d8f19f915d56ae4ae7b9f66dd lighttpd-mod_mysql_vhost-1.4.18-1.fc7.x86_64.rpm
f9fbf72140a0dcb2a3a2a3f1f10f81ad094a1394 lighttpd-debuginfo-1.4.18-1.fc7.ppc.rpm
c698a9db52d4dabaebe1013d54edb2ac5b608e07 lighttpd-fastcgi-1.4.18-1.fc7.ppc.rpm
50089c0688928391bdf6d714b0c61b5cb692398c lighttpd-1.4.18-1.fc7.ppc.rpm
f51a6530a0329cedaef42b49e9cac606142caa47 lighttpd-mod_mysql_vhost-1.4.18-1.fc7.ppc.rpm
f8d88f6c1a04ff4044f1e379d2cf854c17290176 lighttpd-1.4.18-1.fc7.src.rpm

SUSE: new TK, openssl, hugin, lighttpd, novell-groupwise-gwclient, sylpheed-claws packages.
New packages are available via FTP or YaST.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity workaround. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.