QwikSec

Security Database

CVE

CWE

Training

CVE-2012-5533

Published: Nov 24, 2012

Modified: Aug 6, 2024

PUBLISHED

Description

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20121121 lighttpd 1.4.32 released, fixing CVE-2012-5533

mailing-list

x_refsource_MLIST

openSUSE-SU-2012:1532

vendor-advisory

x_refsource_SUSE

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt

x_refsource_CONFIRM

exploit

x_refsource_EXPLOIT-DB

vdb-entry

x_refsource_SECTRACK

http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch

x_refsource_MISC

http://packetstormsecurity.org/files/118282/Simple-Lighttpd-1.4.31-Denial-Of-Service.html

x_refsource_MISC

third-party-advisory

x_refsource_SECUNIA

https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0345

x_refsource_CONFIRM

vdb-entry

x_refsource_OSVDB

vendor-advisory

x_refsource_HP

vendor-advisory

x_refsource_MANDRIVA

lighttpd-httprequestsplitvalue-dos(80213)

vdb-entry

x_refsource_XF

third-party-advisory

x_refsource_SECUNIA

openSUSE-SU-2014:0074

vendor-advisory

x_refsource_SUSE

vdb-entry

x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.