Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 21 Jul 2016 20:41:48 +0200
From: Peter Bex <peter@...e-magic.net>
To: oss-security@...ts.openwall.com
Subject: Re: A CGI application vulnerability for PHP, Go,
 Python and others

On Mon, Jul 18, 2016 at 08:17:03AM -0600, Kurt Seifried wrote:
> Essentially there are two main cases where a CVE is assigned for the
> httpoxy issue:
> 
>    1.
> 
>    A web server, programming language or framework (and in some limited
>    situations the application itself) sets the environmental variable
>    HTTP_PROXY from the user supplied Proxy header in the web request, or sets
>    a similarly used variable (essentially when the request header turns from
>    harmless data into a potentially harmful environmental variable)

This isuee affects the CHICKEN egg "spiffy-cgi-handlers", which is an
optional add-on to add CGI and FastCGI support to the Spiffy web server.
Could I have a CVE for this issue?

All versions before 0.5 are affected.  An announcement was made to
http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html

The spiffy-cgi-handlers code was part of the spiffy web server before
version 5.0, so earlier versions of that egg were also affected.  Strictly
speaking, I think this deserves another CVE because it's a different
piece of software.

>    2.
> 
>    A web application makes use of HTTP_PROXY or similar variable unsafely
>    (e.g. fails to check the request type) resulting in an attacker controlled
>    proxy being used (essentially when HTTP_PROXY is actually used unsafely)

I believe this affects the CHICKEN egg "http-client", when used in a CGI
context when the calling server unsafely passes "Proxy" as "HTTP_PROXY".
Could I have a CVE for this issue as well?

It affects http-client versions before 0.10 (the very first version, 0.1,
is not affected because it had no proxy support).

An announcement for this is included in the message at the
aforementioned URL.

Cheers,
Peter Bex

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.