Date: Thu, 21 Jul 2016 20:41:48 +0200 From: Peter Bex <peter@...e-magic.net> To: oss-security@...ts.openwall.com Subject: Re: A CGI application vulnerability for PHP, Go, Python and others On Mon, Jul 18, 2016 at 08:17:03AM -0600, Kurt Seifried wrote: > Essentially there are two main cases where a CVE is assigned for the > httpoxy issue: > > 1. > > A web server, programming language or framework (and in some limited > situations the application itself) sets the environmental variable > HTTP_PROXY from the user supplied Proxy header in the web request, or sets > a similarly used variable (essentially when the request header turns from > harmless data into a potentially harmful environmental variable) This isuee affects the CHICKEN egg "spiffy-cgi-handlers", which is an optional add-on to add CGI and FastCGI support to the Spiffy web server. Could I have a CVE for this issue? All versions before 0.5 are affected. An announcement was made to http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html The spiffy-cgi-handlers code was part of the spiffy web server before version 5.0, so earlier versions of that egg were also affected. Strictly speaking, I think this deserves another CVE because it's a different piece of software. > 2. > > A web application makes use of HTTP_PROXY or similar variable unsafely > (e.g. fails to check the request type) resulting in an attacker controlled > proxy being used (essentially when HTTP_PROXY is actually used unsafely) I believe this affects the CHICKEN egg "http-client", when used in a CGI context when the calling server unsafely passes "Proxy" as "HTTP_PROXY". Could I have a CVE for this issue as well? It affects http-client versions before 0.10 (the very first version, 0.1, is not affected because it had no proxy support). An announcement for this is included in the message at the aforementioned URL. Cheers, Peter Bex [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ