CVE-2019-11072

Name of the Vulnerable Software and Affected Versions lighttpd versions prior to 1.4.54

Description The issue is related to a signed integer overflow in lighttpd, which could allow remote attackers to cause a denial of service (application crash) or possibly have other unspecified impacts via a malicious HTTP GET request. This is demonstrated by the mishandling of / %2F? in burl normalize 2F to slash fix in burl.c. The feature that can be exploited to cause the crash is a new feature in lighttpd 1.4.50 and is not enabled by default, requiring explicit configuration in the config file (e.g., lighttpd.conf). Certain input will trigger an abort() in lighttpd when this feature is enabled. The developer states that this is not exploitable beyond triggering the explicit abort() with subsequent application exit.

Recommendations For versions prior to 1.4.54, update to version 1.4.54 or later to resolve the issue. As a temporary workaround, consider disabling the feature introduced in lighttpd 1.4.50 that can be exploited to cause the crash, by removing or commenting out the relevant configuration in lighttpd.conf. Avoid using the burl normalize 2F to slash fix function in burl.c until the issue is resolved.