CivetWeb Library Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the CivetWeb library, specifically in the form handling function 'mg_handle_form_request'. This issue affects all versions prior to 1.08. Remote attackers can exploit the vulnerability by sending crafted HTTP POST requests that include a null byte in the payload. This causes the server to enter an infinite loop while parsing the form data, leading to complete CPU exhaustion and making the service unresponsive. The vulnerability arises from improper handling of URL-encoded forms, allowing malformed requests to disrupt normal processing. The issue does not affect the standalone executable version of CivetWeb, which is available pre-built by the vendor.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by overwhelming the CPU, leading to a complete service outage.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to a server that uses the CivetWeb library version 1.16 or earlier. The request must include a null byte in the form data payload. This can be done using a variety of tools or programming languages that allow for the manipulation of HTTP requests, such as Python with the 'requests' library, or by using a tool like Postman or curl. Once the crafted request is sent, the server will enter an infinite loop, causing CPU exhaustion and unresponsiveness.

Remediation

Users can update to CivetWeb version 1.08 or later, where this vulnerability has been fixed. The patch is included in the latest release, version 1.17.