Ubuntu
lighttpd package

Practical examples of CVE-2014-2324 and 2323

Asked by Andrew on 2014-09-28

Could somebody please provide some examples on how the CVE-2014-2324 and CVE-2014-2323 could be exploited in practice.

Like could I use the URL like www.example.org/blog/../../../../etc/passwd
(I take it this will only work with permissions for www-data)

Also how about SQL injection

www.example.org/blog/post?id=1' SHOW DATABASES
www.example.org/blog/post?id=1; path = /

I need to check a site that was running an outdated version of Lighttpd

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu lighttpd Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Thomas Krüger (thkrueger) said : 		#1

No, we don't provide practical examples of how to exploid systems!

Revision history for this message
Andrew (am-public-o) said : 		#2

Ha when you put it that way, I see why. I'm trying to work out if my system is vulnerable. It's just exploits become complicated so it makes it hard to work out were a potential attack vector comes from.

I can see in the error logs there have been a number of hits of various directories and also /etc/passwd.

Maybe somebody could then state simply - do the files need to be explicitly owned by www-data ?? in order to access or could a xx5 permission be enough?

Can you help with this problem?

Provide an answer of your own, or ask Andrew for more information if necessary.

To post a message you must log in.