Critical vulnerability in lighttpd, DoS

Published on February 04, 2010

Critical vulnerability in lighttpd, DoS

    From the official site



    Security Announce: slow request DoS / OOM attack
    February 1st, 2010

    Li Ming reported a serious bug in lighttpd:

    If you send the request data very slow (eg sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.

    As far as we know all versions are affected.

    Transfer



    If you send data at large intervals (for example, pause 0.01 seconds after each byte), then Lighty will start to use all available memory and fill up (especially in the case of parallel requests), this allows you to organize a denial of service for several minutes.

    As far as the developers know, all versions of the server contain a bug.

    link to bug in tracker and patch
    Prerelease 1.4.26 with fix (via eugeneorlov )
    Fix for Debian (via esten )

    Be careful!