The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Lighttpd: log injection via basic HTTP authentication

Synthesis of the vulnerability 

An attacker can inject logs via a basic HTTP authentication of Lighttpd, in order to disturb a log analysis.
Impacted systems: Fedora, lighttpd, McAfee NSM, McAfee NTBA, Solaris.
Severity of this alert: 2/4.
Creation date: 26/05/2015.
Références of this alert: bulletinoct2015, CVE-2015-3200, FEDORA-2015-12250, FEDORA-2015-12252, SB10310, VIGILANCE-VUL-16991.

Description of the vulnerability 

The Lighttpd product is a web server.

Lighttpd implements "basic HTTP" authentication, and logs a login name. Usually, the login and password are unified as "login:password" and encoded in base64. However, when a character '\0' is used after the login name, the ':' punctuation is not found by http_auth.c, so additional lines are injected in the log file.

An attacker can therefore inject logs via a basic HTTP authentication of Lighttpd, in order to disturb a log analysis.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security note impacts software or systems such as Fedora, lighttpd, McAfee NSM, McAfee NTBA, Solaris.

Our Vigil@nce team determined that the severity of this threat announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness announce.

Solutions for this threat 

Lighttpd: version 1.4.36.
The version 1.4.36 is fixed:
  http://www.lighttpd.net/download/

Lighttpd: workaround for authentification basic.
A workaround is to disable the basic HTTP authentification.

Fedora: new lighttpd packages.
New packages are available:
  Fedora 21: lighttpd 1.4.36-1.fc21
  Fedora 22: lighttpd 1.4.36-1.fc22

McAfee Network Security Manager: version 9.1 Update 6 (9.1.7.80).
The version 9.1 Update 6 (9.1.7.80) is fixed:
  https://support.mcafee.com/

Network Threat Behavior Analysis: version 9.1 Update 6 (9.1.3.63).
The version 9.1 Update 6 (9.1.3.63) is fixed:
  https://support.mcafee.com/

Solaris: patch for Third Party (10/2015).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities patches. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.