In association with heise online

17 April 2007, 12:49

Update for Lighttpd web server fixes DoS vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The lean mini web server Lighttpd contains two vulnerabilities which endanger stable operation. An attacker can exploit them to carry out a denial of service attack. Parsing the string "\r\n\r\n" can overload the system or cause the system to crash if the client connection is interrupted during parsing. The bug is present in versions 1.4.12 and 1.4.13 only.

In addition, processing files with incorrect time stamps (mtime=0) causes a null pointer dereference, which also crashes the application. However, to carry out this attack the attacker must be able to load a prepared file onto the server.

Versions 1.3.x and 1.4.x are affected. Both bugs are fixed in versions 1.4.14 and later. The current version is 1.4.15. Because of its low requirements, Lighttpd is used in many embedded systems.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit