English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA38403

lighttpd Slow Request Denial of Service Vulnerability


Secunia ID

SA38403
CVE-ID

CVE-2010-0295
Release Date

02 Feb 2010
Last Change

08 Feb 2010
Criticality

Moderately Critical
Solution Status

Vendor Patch
Software

lighttpd 1.x
Where

From remote
Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.
Description

A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the server allocating several kilobytes of heap memory for each received network packet. This can be exploited to exhaust all available memory and terminate the server via an HTTP session sending e.g. a network packet of 1 byte per second.
Solution

Update to version 1.4.26 or apply patch:
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch
Reported by

Reported by Li Ming in a lighttpd bug report.
Original Advisory

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt
http://redmine.lighttpd.net/issues/2147

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search