oss-sec mailing list archives
Re: A CGI application vulnerability for PHP, Go, Python and others
From: Jan Schaumann <jschauma () netmeister org>
Date: Mon, 18 Jul 2016 14:23:41 -0400
Richard Rowe <arch.richard () gmail com> wrote:
The consequence is that an attacker can force a proxy of their choice to be used. This proxy receives the full request for anything sent over HTTP using a vulnerable client. It can also act in a malicious way to tie up server resources (a "reverse slowloris").
I know you mentioned it on https://httpoxy.org/, but I think it's worth stressing explicitly again: use of HTTPS for all requests made by the application, internal as well as external, defeats this vulnerability (provided certificates are actually verified). -Jan
Current thread:
- A CGI application vulnerability for PHP, Go, Python and others Richard Rowe (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Peter Bex (Jul 21)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Jan Schaumann (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)