oss-sec mailing list archives

Re: A CGI application vulnerability for PHP, Go, Python and others

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 18 Jul 2016 08:17:03 -0600

Also the current list of CVEs is:

CVE-2016-5385 PHP
CVE-2016-5386 Go
CVE-2016-5387 Apache HTTPD
CVE-2016-1000104 mod_fcgi
CVE-2016-1000105 Nginx cgi script
CVE-2016-5388 Tomcat
CVE-2016-1000107 Erlang HTTP Server
CVE-2016-1000108 YAWS
CVE-2016-1000109 HHVM FastCGI
CVE-2016-1000110 Python CGIHandler
CVE-2016-1000111 Python twisted

there will of course be more. From my Google doc:

CVE counting for httpoxy

This document essentially discusses the CVE counting strategy for the
httpoxy issue.

Essentially there are two main cases where a CVE is assigned for the
httpoxy issue:


   1.

   A web server, programming language or framework (and in some limited
   situations the application itself) sets the environmental variable
   HTTP_PROXY from the user supplied Proxy header in the web request, or sets
   a similarly used variable (essentially when the request header turns from
   harmless data into a potentially harmful environmental variable)
   2.

   A web application makes use of HTTP_PROXY or similar variable unsafely
   (e.g. fails to check the request type) resulting in an attacker controlled
   proxy being used (essentially when HTTP_PROXY is actually used unsafely)


Some  examples of situations where a web server, programming language or
framework would qualify for a CVE regarding httpoxy:


   1.

   PHP passes the proxy as HTTP_PROXY, as such applications commonly import
   and use HTTP_*
   2.

   mod_cgi/fast_cgi and related CGI programs set HTTP_PROXY based on the
   request header
   3.

   An application uses an HTTP request library that trusts HTTP_PROXY
   resulting in attacker control of requests


Some  examples of situations where a web server, programming language or
framework would NOT qualify for a CVE regarding httpoxy:


   1.

   A web server such as Apache passes the proxy header to a programming
   language or framework
   2.

   A library trusts HTTP_PROXY, the library does not earn a CVE, the
   application using it would qualify for a CVE, and generally speaking
   whatever set the HTTP_PROXY variable would also earn a CVE






--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Current thread:

A CGI application vulnerability for PHP, Go, Python and others Richard Rowe (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
  - Re: A CGI application vulnerability for PHP, Go, Python and others Peter Bex (Jul 21)
    - Re: A CGI application vulnerability for PHP, Go, Python and others - CHICKEN eggs cve-assign (Jul 22)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Jan Schaumann (Jul 18)
  - Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
    - Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)