Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMqf4yDbXfYqFYHbMnMbrhcYfmjC56ok5+3VvNYfKndtsuECgA@mail.gmail.com>
Date: Tue, 19 Jul 2016 02:00:53 +1200
From: Richard Rowe <arch.richard@...il.com>
To: oss-security@...ts.openwall.com
Subject: A CGI application vulnerability for PHP, Go, Python and others

Hello,

The Vend security team would like to publicly disclose a vulnerability
we've (re)discovered in CGI and PHP web applications. Here's a two line
summary:


   -

   RFC 3875 (CGI) puts the HTTP Proxy header from a request into the
   environment variables as HTTP_PROXY


   -

   HTTP_PROXY is a popular environment variable used to configure an
   outgoing proxy


The consequence is that an attacker can force a proxy of their choice to be
used. This proxy receives the full request for anything sent over HTTP
using a vulnerable client. It can also act in a malicious way to tie up
server resources (a "reverse slowloris").

For the purposes of general disclosure to the wider ecosystem, we've
prepared a website that describes the issue and collects common
mitigations: https://httpoxy.org/ - but I'll continue with some notes below.

Particularly affected is anything using the Guzzle HTTP library for PHP,
but also many other languages and frameworks when deployed under 'real' CGI
(PHP's userspace is basically emulated CGI), including Go's net/http and
Python's requests. This bug appears to be more than 15 years old, and was
fixed in a piecemeal fashion in other software (e.g. curl, libwww-perl,
Ruby).

The good news, however, is that stripping any Proxy request header is easy
(because it is undefined by IETF and not listed in IANA's registry of
message headers) - there should be no standard use for the header at all.

Over the past two weeks, we've disclosed to the language teams affected
(PHP, Python, Go, HHVM), as well as common CGI implementation vendors
(Nginx, Apache). CERT have been involved in this process, and we’ve had the
help of the Red Hat Product Security team. All these teams will probably
have good advisories for their own specific affected software.

The Apache Software Foundation have an advisory available at
https://www.apache.org/security/asf-httpoxy-response.txt

The original discovery in 2001 seems to have been by Randal L. Schwartz.
2016 discovery was made by Scott Geary, research and disclosure
co-ordinated by Dominic Scheirlinck, colleagues of mine.

Regards,
Richard

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.