#VU32560 Path traversal in lighttpd - CVE-2014-2324

Vulnerability identifier: #VU32560

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2014-2324

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
lighttpd
Server applications / Web servers

Vendor: lighttpd

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.

Mitigation
Install update from vendor's website.

Vulnerable software versions

lighttpd: 1.4.1 - 1.4.34

---

External links
https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
https://lists.opensuse.org/opensuse-security-announce/2014-03/msg00023.html
https://lists.opensuse.org/opensuse-security-announce/2014-04/msg00002.html
https://lists.opensuse.org/opensuse-security-announce/2014-04/msg00006.html
https://marc.info/?l=bugtraq&m=141576815022399&w=2
https://seclists.org/oss-sec/2014/q1/561
https://seclists.org/oss-sec/2014/q1/564
https://secunia.com/advisories/57404
https://secunia.com/advisories/57514
https://www.debian.org/security/2014/dsa-2877
https://www.lighttpd.net/2014/3/12/1.4.35/
https://www.securityfocus.com/bid/66157

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.