Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFHDqJPkKJSrLp-oOdb5f94rU2yeuDrNM+MTmSn+hNz-+SqbeA@mail.gmail.com>
Date: Tue, 13 Sep 2016 22:11:42 +0300
From: watashiwaher <watashiwaher@...il.com>
To: oss-security@...ts.openwall.com
Subject: libxml with CGI fix

Hi, huys! There is a known httpoxy vulnerability ( https://httpoxy.org/ ).
There is a problem with CGI usage in all application which use libxml2
library. Attacker can make requests via attacker proxy from target server
using this vulnerability. I reported this problem in the 5th august, but
developers didn't reply me at all, and I don't know if they want to
response.

So here is my original report to libxml2 team (with patch):

There is a security problem in libxml2.
>
> Problem:
> There is a httpoxy vulnerability in libxml2 ( http://libpoxy.org )
> It affects the usage of libxml2 inside CGI applications.
>
> libxml2 is used in many popular products. So if someone of these popular products will be used inside CGI script, attacker will be able to override HTTP_PROXY environment variable by placing Proxy header with desired proxy name. It will affect the usage of xmlNanoHTTPInit function inside nanohttp.c. Requests will go through proxies of the attacker.
>
> Possible solutions:
> I found 2 possible solutions.
> 1) Use HTTP_PROXY variable in lower case
>    (Curl style)
>    It works because CGI variables are sent only in upper case.
>    But doesn't work on windows because getenv is not case
>    sensitive in the Windows operating system.
> 2) Do not accept HTTP_PROXY variable when REQUEST_METHOD environment variable defined.
>    (Python style)
>    It works because REQUEST_METHOD variable indicates that CGI is used.
>    But there is a problem with windows (we can't use HTTP_PROXY in CGI at all)
>    and with other operation systems (where HTTP_PROXY is already used in uppercase )
>
> I made a mall patch that uses both solutions in the same time. It doesn't accept HTTP_PROXY when REQUEST_METHOD defined. In non windows OS it accepts it in lower case anyway, in windows it doesn't accept it.
>
> Example of vulnerability (what I found):

First time I found httpoxy vulnerability in perlmagick

( http://www.imagemagick.org/script/perl-magick.php )



Code like this was used inside CGI script:
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> Image::Magick->New()->Get('http://somesite.com/somefile.txt');
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



Actually this code called ImageMagick to download this file.
> Inside Imagemagick code was like this:
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> char
> buffer[MaxBufferExtent],
> *type; int
> bytes; void
> *context; type=(char *) NULL;
> context=xmlNanoHTTPMethod(filename,(const char *) NULL,
> (const char *) NULL,&type,(const char *) NULL,0);
> if (context != (void *) NULL)
> {
> ssize_t
> count; while ((bytes=xmlNanoHTTPRead(context,buffer,MaxBufferExtent)) > 0)
> count=(ssize_t) fwrite(buffer,bytes,1,file);
> (void) count;
> xmlNanoHTTPClose(context);
> xmlFree(type);
> xmlNanoHTTPCleanup();
> }
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<



And finally xmlNanoHTTPInit inside libxml2 function used environment
> variable HTTP_PROXY. I want to say that developers of any software which
> uses libxml2 may not know about httpoxy vulnerability and about the
> possibility of usage HTTP_PROXY variable with libxml2 library.


> Example of vulnerability (what I found):
>
> First time I found httpoxy vulnerability in perlmagick
> ( http://www.imagemagick.org/script/perl-magick.php )
>
> Code like this was used inside CGI script:>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> Image::Magick->New()->Get('http://somesite.com/somefile.txt');
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> Actually this code called ImageMagick to download this file.
> Inside Imagemagick code was like this:>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> char
>   buffer[MaxBufferExtent],
>   *type;
>
> int
>   bytes;
>
> void
>   *context;
>
> type=(char *) NULL;
> context=xmlNanoHTTPMethod(filename,(const char *) NULL,
>   (const char *) NULL,&type,(const char *) NULL,0);
> if (context != (void *) NULL)
>   {
>     ssize_t
>       count;
>
>     while ((bytes=xmlNanoHTTPRead(context,buffer,MaxBufferExtent)) > 0)
>       count=(ssize_t) fwrite(buffer,bytes,1,file);
>     (void) count;
>     xmlNanoHTTPClose(context);
>     xmlFree(type);
>     xmlNanoHTTPCleanup();
>   }
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> And finally xmlNanoHTTPInit inside libxml2 function used environment variable HTTP_PROXY.
>
> I want to say that developers of any software which uses libxml2 may not know about httpoxy vulnerability and about the possibility of usage HTTP_PROXY variable with libxml2 library.
> The easiest way to fix possible vulnerability everywhere is just to fix it inside libxml2.
>
>
Patch address: https://bugzilla.gnome.org/attachment.cgi?id=332806

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.