Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160721184148.GO26276@scully.more-magic.net>
Date: Thu, 21 Jul 2016 20:41:48 +0200
From: Peter Bex <peter@...e-magic.net>
To: oss-security@...ts.openwall.com
Subject: Re: A CGI application vulnerability for PHP, Go,
 Python and others

On Mon, Jul 18, 2016 at 08:17:03AM -0600, Kurt Seifried wrote:
> Essentially there are two main cases where a CVE is assigned for the
> httpoxy issue:
> 
>    1.
> 
>    A web server, programming language or framework (and in some limited
>    situations the application itself) sets the environmental variable
>    HTTP_PROXY from the user supplied Proxy header in the web request, or sets
>    a similarly used variable (essentially when the request header turns from
>    harmless data into a potentially harmful environmental variable)

This isuee affects the CHICKEN egg "spiffy-cgi-handlers", which is an
optional add-on to add CGI and FastCGI support to the Spiffy web server.
Could I have a CVE for this issue?

All versions before 0.5 are affected.  An announcement was made to
http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html

The spiffy-cgi-handlers code was part of the spiffy web server before
version 5.0, so earlier versions of that egg were also affected.  Strictly
speaking, I think this deserves another CVE because it's a different
piece of software.

>    2.
> 
>    A web application makes use of HTTP_PROXY or similar variable unsafely
>    (e.g. fails to check the request type) resulting in an attacker controlled
>    proxy being used (essentially when HTTP_PROXY is actually used unsafely)

I believe this affects the CHICKEN egg "http-client", when used in a CGI
context when the calling server unsafely passes "Proxy" as "HTTP_PROXY".
Could I have a CVE for this issue as well?

It affects http-client versions before 0.10 (the very first version, 0.1,
is not affected because it had no proxy support).

An announcement for this is included in the message at the
aforementioned URL.

Cheers,
Peter Bex

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.