oss-sec mailing list archives
Re: A CGI application vulnerability for PHP, Go, Python and others
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 18 Jul 2016 08:17:03 -0600
Also the current list of CVEs is: CVE-2016-5385 PHP CVE-2016-5386 Go CVE-2016-5387 Apache HTTPD CVE-2016-1000104 mod_fcgi CVE-2016-1000105 Nginx cgi script CVE-2016-5388 Tomcat CVE-2016-1000107 Erlang HTTP Server CVE-2016-1000108 YAWS CVE-2016-1000109 HHVM FastCGI CVE-2016-1000110 Python CGIHandler CVE-2016-1000111 Python twisted there will of course be more. From my Google doc: CVE counting for httpoxy This document essentially discusses the CVE counting strategy for the httpoxy issue. Essentially there are two main cases where a CVE is assigned for the httpoxy issue: 1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable) 2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely) Some examples of situations where a web server, programming language or framework would qualify for a CVE regarding httpoxy: 1. PHP passes the proxy as HTTP_PROXY, as such applications commonly import and use HTTP_* 2. mod_cgi/fast_cgi and related CGI programs set HTTP_PROXY based on the request header 3. An application uses an HTTP request library that trusts HTTP_PROXY resulting in attacker control of requests Some examples of situations where a web server, programming language or framework would NOT qualify for a CVE regarding httpoxy: 1. A web server such as Apache passes the proxy header to a programming language or framework 2. A library trusts HTTP_PROXY, the library does not earn a CVE, the application using it would qualify for a CVE, and generally speaking whatever set the HTTP_PROXY variable would also earn a CVE -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- A CGI application vulnerability for PHP, Go, Python and others Richard Rowe (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Peter Bex (Jul 21)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Jan Schaumann (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Solar Designer (Jul 18)
- Re: A CGI application vulnerability for PHP, Go, Python and others Kurt Seifried (Jul 18)