oss-sec mailing list archives
Re: A CGI application vulnerability for PHP, Go, Python and others
From: Solar Designer <solar () openwall com>
Date: Mon, 18 Jul 2016 17:56:53 +0300
On Tue, Jul 19, 2016 at 02:00:53AM +1200, Richard Rowe wrote:
The Apache Software Foundation have an advisory available at https://www.apache.org/security/asf-httpoxy-response.txt
Neither the Apache advisory above nor the httpoxy website currently mention the below detail, so I thought I'd post: Apache httpd trunk's suexec wrapper was patched to filter out HTTP_PROXY on February 13, 2015: http://mail-archives.apache.org/mod_mbox/httpd-cvs/201502.mbox/%3C20150213232410.B89BCAC0110 () hades apache org%3E http://svn.apache.org/r1659711 https://svn.apache.org/repos/asf/httpd/httpd/trunk/CHANGES *) suexec: Filter out the HTTP_PROXY environment variable because it is treated as alias for http_proxy by some programs. [Stefan Fritsch] The httpoxy website refers to a posting by Stefan Fritsch: http://mail-archives.apache.org/mod_mbox/httpd-dev/201502.mbox/%3C2651807.jIIY3NPtlf@k%3E but not yet to its apparent outcome, above. httpd 2.4.23's suexec does not yet include this change (different branch). Of course, it's just suexec, which isn't always used, so it was not a complete fix anyway. Alexander
Current thread:
- A CGI application vulnerability for PHP, Go, Python and others Richard Rowe (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Peter Bex (Jul 21)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Jan Schaumann (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)