oss-sec mailing list archives
A CGI application vulnerability for PHP, Go, Python and others
From: Richard Rowe <arch.richard () gmail com>
Date: Tue, 19 Jul 2016 02:00:53 +1200
Hello, The Vend security team would like to publicly disclose a vulnerability we've (re)discovered in CGI and PHP web applications. Here's a two line summary: - RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY - HTTP_PROXY is a popular environment variable used to configure an outgoing proxy The consequence is that an attacker can force a proxy of their choice to be used. This proxy receives the full request for anything sent over HTTP using a vulnerable client. It can also act in a malicious way to tie up server resources (a "reverse slowloris"). For the purposes of general disclosure to the wider ecosystem, we've prepared a website that describes the issue and collects common mitigations: https://httpoxy.org/ - but I'll continue with some notes below. Particularly affected is anything using the Guzzle HTTP library for PHP, but also many other languages and frameworks when deployed under 'real' CGI (PHP's userspace is basically emulated CGI), including Go's net/http and Python's requests. This bug appears to be more than 15 years old, and was fixed in a piecemeal fashion in other software (e.g. curl, libwww-perl, Ruby). The good news, however, is that stripping any Proxy request header is easy (because it is undefined by IETF and not listed in IANA's registry of message headers) - there should be no standard use for the header at all. Over the past two weeks, we've disclosed to the language teams affected (PHP, Python, Go, HHVM), as well as common CGI implementation vendors (Nginx, Apache). CERT have been involved in this process, and we’ve had the help of the Red Hat Product Security team. All these teams will probably have good advisories for their own specific affected software. The Apache Software Foundation have an advisory available at https://www.apache.org/security/asf-httpoxy-response.txt The original discovery in 2001 seems to have been by Randal L. Schwartz. 2016 discovery was made by Scott Geary, research and disclosure co-ordinated by Dominic Scheirlinck, colleagues of mine. Regards, Richard
Current thread:
- A CGI application vulnerability for PHP, Go, Python and others Richard Rowe (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Peter Bex (Jul 21)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Jan Schaumann (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)