Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Jul 2016 08:17:03 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: A CGI application vulnerability for PHP, Go,
 Python and others

Also the current list of CVEs is:

CVE-2016-5385 PHP
CVE-2016-5386 Go
CVE-2016-5387 Apache HTTPD
CVE-2016-1000104 mod_fcgi
CVE-2016-1000105 Nginx cgi script
CVE-2016-5388 Tomcat
CVE-2016-1000107 Erlang HTTP Server
CVE-2016-1000108 YAWS
CVE-2016-1000109 HHVM FastCGI
CVE-2016-1000110 Python CGIHandler
CVE-2016-1000111 Python twisted

there will of course be more. From my Google doc:

CVE counting for httpoxy

This document essentially discusses the CVE counting strategy for the
httpoxy issue.

Essentially there are two main cases where a CVE is assigned for the
httpoxy issue:


   A web server, programming language or framework (and in some limited
   situations the application itself) sets the environmental variable
   HTTP_PROXY from the user supplied Proxy header in the web request, or sets
   a similarly used variable (essentially when the request header turns from
   harmless data into a potentially harmful environmental variable)

   A web application makes use of HTTP_PROXY or similar variable unsafely
   (e.g. fails to check the request type) resulting in an attacker controlled
   proxy being used (essentially when HTTP_PROXY is actually used unsafely)

Some  examples of situations where a web server, programming language or
framework would qualify for a CVE regarding httpoxy:


   PHP passes the proxy as HTTP_PROXY, as such applications commonly import
   and use HTTP_*

   mod_cgi/fast_cgi and related CGI programs set HTTP_PROXY based on the
   request header

   An application uses an HTTP request library that trusts HTTP_PROXY
   resulting in attacker control of requests

Some  examples of situations where a web server, programming language or
framework would NOT qualify for a CVE regarding httpoxy:


   A web server such as Apache passes the proxy header to a programming
   language or framework

   A library trusts HTTP_PROXY, the library does not earn a CVE, the
   application using it would qualify for a CVE, and generally speaking
   whatever set the HTTP_PROXY variable would also earn a CVE

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ