|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3127 CVE : CVE-2007-4727 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Mattias Bengtsson & Philip Olausson Published : 14.09.2007
Advisory Content : FastCGI header overrun in mod_fastcgi ======================================= Description ------------- Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference. This bug was found by Mattias Bengtsson <mattias@secweb.se> and Philip Olausson <po@secweb.se>. External reference: http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/ Affected versions ------------------- all previous versions. Solutions or Workaround ------------------------- upgrade to 1.4.18 or apply lighttpd-1.4.x_mod_fastcgi_overrun.patch This bug is tracked as CVE-2007-4727. ---- More details ------------- Issue: Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. Description: Lighttpd (pronounced "lighty") is a web server which is designed to be secure, fast, standards-compliant, and flexible while being optimized for speed-critical environments. Details: fcgi_env_add_request_headers(srv, con, p); fcgi_header(&(header), FCGI_PARAMS, request_id, p->fcgi_env->used, 0); buffer_append_memory(b, (const char *)&header, sizeof(header)); buffer_append_memory(b, (const char *)p->fcgi_env->ptr, p->fcgi_env->used); The above code will read up all headers requested by the client and construct the fastcgi header, which will be sent to PHP. The code does not care if contentLength is more than 0xffff, and is therefore prone to a overrun. static int fcgi_header(FCGI_Header * header, unsigned char type, size_t request_id, int contentLength, unsigned char paddingLength) { ... header->contentLengthB0 = contentLength & 0xff; header->contentLengthB1 = (contentLength >> 8) & 0xff; ... While there are more data to send and PHP does not care how many packages it gets, it is possible to take control over the next package header and add/replace headers in PHP. For example SCRIPT_FILENAME which we will be using in the example exploit. Proof Of Concepts: Since 1.4.17 we are not allowed to use any character less then 0x20 as a value in an header which makes the exploitation of the vulnerability a little bit more complicated, but still possible. For the high risk of this vulnerability we have chosen not to release a exploit for 1.4.17, but instead a fully working exploit for <= 1.4.16 and PHP 5.2.X. Lighttpd FastCGI Remote Vulnerability Exploit Example: # ./exploit localhost 80 /etc/passwd or # wget --referer="<?php system('/usr/bin/id'); ?>" localhost # ./exploit localhost 80 /var/log/lighttpd/access.log Interested in a exploit for 1.4.17? Please contact us! Impact: The impact for this issue should be considered VERY HIGH! Solution: Upgrade to lighttpd 1.4.18 ---------------- END ---------------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |