Date: Mon, 18 Jul 2016 17:56:53 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Richard Rowe <arch.richard@...il.com> Subject: Re: A CGI application vulnerability for PHP, Go, Python and others On Tue, Jul 19, 2016 at 02:00:53AM +1200, Richard Rowe wrote: > The Apache Software Foundation have an advisory available at > https://www.apache.org/security/asf-httpoxy-response.txt Neither the Apache advisory above nor the httpoxy website currently mention the below detail, so I thought I'd post: Apache httpd trunk's suexec wrapper was patched to filter out HTTP_PROXY on February 13, 2015: http://mail-archives.apache.org/mod_mbox/httpd-cvs/201502.mbox/%3C20150213232410.B89BCAC0110@...es.apache.org%3E http://svn.apache.org/r1659711 https://svn.apache.org/repos/asf/httpd/httpd/trunk/CHANGES *) suexec: Filter out the HTTP_PROXY environment variable because it is treated as alias for http_proxy by some programs. [Stefan Fritsch] The httpoxy website refers to a posting by Stefan Fritsch: http://mail-archives.apache.org/mod_mbox/httpd-dev/201502.mbox/%3C2651807.jIIY3NPtlf@...E but not yet to its apparent outcome, above. httpd 2.4.23's suexec does not yet include this change (different branch). Of course, it's just suexec, which isn't always used, so it was not a complete fix anyway. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ