Vigil@nce - Lighttpd: log injection via basic HTTP authentication
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can inject logs via a basic HTTP authentication of
Lighttpd, in order to disturb a log analysis.
Impacted products: Lighttpd
Severity: 2/4
Creation date: 26/05/2015
DESCRIPTION OF THE VULNERABILITY
The Lighttpd product is a web server.
Lighttpd implements "basic HTTP" authentication, and logs a login
name. Usually, the login and password are unified as
"login:password" and encoded in base64. However, when a character
’\0’ is used after the login name, the ’:’ punctuation is not
found by http_auth.c, so additional lines are injected in the log
file.
An attacker can therefore inject logs via a basic HTTP
authentication of Lighttpd, in order to disturb a log analysis.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Lighttpd-log-injection-via-basic-HTTP-authentication-16991