Monday, May 25, 2015


Last week I noticed a issue in lighttpd server source code, that made it possible to do log injections. I notified the developers and it was decided that because this issue does not result in RCE or DOS, but only affects reliability of the logs, it is better to make it public. So here it is (still vulnerable, but now you know that logs might be tampered with).

CVE: CVE-2015-3200
Software: Lighttpd
Type: Log injection
Bug track link:
Source code Location: http_auth.c:860
Vulnerable servers: Servers that use basic authentication
Description: When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding.

For example header "Authorization: Basic dGVzdAAKMjEwMC0wMS0wMSAwMDowMDowMDogKG1hZ2ljLmMuODU5KSBJVCdTIFRIRSBFTkQgT0YgVEhFIFdPUkxEIQ==" results in two log lines:
2015-05-14 12:55:54: (http_auth.c.859) : is missing in test
2100-01-01 00:00:00: (magic.c.859) IT'S THE END OF THE WORLD

On other subject: Does anyone know place in that requires basic authentication?

1 comment:

  1. I am truly pleased to discover this website as well as do appreciate reading through helpful content articles submitted right here. The actual suggestions from the writer had been amazing, many thanks for that reveal.