CVE-2022-30780 - lighttpd remote denial of service

Summary

An unauthenticated attacker can send an HTTP request with an URL overflowing the maximum URL length, resulting in a denial of service.

Vulnerable versions

The following versions of lighttpd are vulnerable:

Software	Version	Vulnerable
Lighttpd	1.4.58	Yes ✅
Lighttpd	1.4.57	Yes ✅
Lighttpd	1.4.56	Yes ✅

Usage

$ ./CVE-2022-30780-lighttpd-denial-of-service.py -h
usage: CVE-2022-30780-lighttpd-denial-of-service.py [-h] [-v] -u URL [-k] [-t THREADS]

CVE-2022-30780-lighttpd-denial-of-service

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode
  -u URL, --url URL     URL to connect to.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -t THREADS, --threads THREADS
                        Number of threads (default: 20)

Demonstration

demo.mp4

References

https://github.com/lighttpd/lighttpd1.4
https://podalirius.net/en/cves/2022-30780/
https://redmine.lighttpd.net/issues/3059

p0dalirius/CVE-2022-30780-lighttpd-denial-of-service

CVE-2022-30780 - lighttpd remote denial of service

Summary

Vulnerable versions

Usage

Demonstration

References