Skip to content

p0dalirius/CVE-2022-30780-lighttpd-denial-of-service

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2022-30780 - lighttpd remote denial of service

CVE-2022-30780 - lighttpd remote denial of service
GitHub release (latest by date) YouTube Channel Subscribers

Summary

An unauthenticated attacker can send an HTTP request with an URL overflowing the maximum URL length, resulting in a denial of service.

Vulnerable versions

The following versions of lighttpd are vulnerable:

Software Version Vulnerable
Lighttpd 1.4.58 Yes
Lighttpd 1.4.57 Yes
Lighttpd 1.4.56 Yes

Usage

$ ./CVE-2022-30780-lighttpd-denial-of-service.py -h
usage: CVE-2022-30780-lighttpd-denial-of-service.py [-h] [-v] -u URL [-k] [-t THREADS]

CVE-2022-30780-lighttpd-denial-of-service

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode
  -u URL, --url URL     URL to connect to.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -t THREADS, --threads THREADS
                        Number of threads (default: 20)

Demonstration

demo.mp4

References