oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A CGI application vulnerability for PHP, Go, Python and others

From: Solar Designer <solar () openwall com>
Date: Mon, 18 Jul 2016 17:56:53 +0300
On Tue, Jul 19, 2016 at 02:00:53AM +1200, Richard Rowe wrote:

The Apache Software Foundation have an advisory available at
https://www.apache.org/security/asf-httpoxy-response.txt


Neither the Apache advisory above nor the httpoxy website currently
mention the below detail, so I thought I'd post:

Apache httpd trunk's suexec wrapper was patched to filter out HTTP_PROXY
on February 13, 2015:

http://mail-archives.apache.org/mod_mbox/httpd-cvs/201502.mbox/%3C20150213232410.B89BCAC0110 () hades apache org%3E
http://svn.apache.org/r1659711
https://svn.apache.org/repos/asf/httpd/httpd/trunk/CHANGES

  *) suexec: Filter out the HTTP_PROXY environment variable because it is
     treated as alias for http_proxy by some programs. [Stefan Fritsch]

The httpoxy website refers to a posting by Stefan Fritsch:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201502.mbox/%3C2651807.jIIY3NPtlf@k%3E

but not yet to its apparent outcome, above.

httpd 2.4.23's suexec does not yet include this change (different branch).

Of course, it's just suexec, which isn't always used, so it was not a
complete fix anyway.

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: