Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2015 16:07:23 +0100
From: Andreas Stieger <>
Subject: CVE-2015-7519: Phusion Passenger Header overwriting issue

Header overwriting issue in Phusion Passenger -
CRD was 2015-12-07 11:00 UTC / 12:00 CET.
Upstream developers were informed and agreed, and issued the text below and the attached patch. Fixed in release 5.0.22.
Discovered by Moises Deniz, Michael Schröder, Adrian Schröter of SUSE Linux.
SUSE bug:

CVE-2015-7519 was assigned to this issue.

------------ issue -------------
1. Given the precondition that the SCGI protocol is used (in Passenger
this means Rack/Rails or Python), and an app depends on a header set by
a trusted server (here: Apache) that includes a dash, for example:
Foobar-User: user

2. It is possible for an untrusted remote client to set a "colliding"
Foobar_User: impersonation

3. The colliding header appears different to the server (_ instead of -)
and is thus not overwritten but preserved.

4. Conversion of the headers for SCGI requires dropping the (_ -)
difference, which results in Passenger sending two headers with the same
HTTP_FOOBAR_USER: impersonation

The exploit is then that the value "impersonation" of the second
HTTP_FOOBAR_USER may overwrite the value of the first (if a hashmap is
used), making the application believe a different value was set by the

Indeed, we can make request.headers["HTTP_FOOBAR_USER"] show
"impersonation" instead of "user", confirming the issue, which can have
security implications, e.g. if the header is used for authentication.

------------ affected use-cases -------------
As far as we can see, affected use-cases are:
- Passenger, with Apache (Nginx already filters) or standalone/builtin,
using a Ruby or Python app (Node.js/Meteor/io.js don't use SCGI),
whereby the app depends on a server-set variable containing one or more

------------ resolution -------------
We propose a different patch; not in the apache module but at the point
where the SCGI conversion occurs. The main reason is that this covers
the second affected path: standalone mode using the 'builtin' engine.
See attached (N.B. the httpToEnv you patched is unreferenced code and
has now been cleaned up).

The patch has been committed to the (internal) cgi_header_collision
passenger branch and is pending merge to stable, to be included in the
upcoming 5.0.22 release (ASAP).

------------ side-effects -------------
Like the patch in the mod_cgi mailing list, this one still breaks
applications that depend on non-standard (e.g. underscored) client
headers. Similarly, the workaround is the same, rewrite the necessary
SetEnvIfNoCase ^X.Underscored.Header $ ^(.*)$ fix_header=$1
RequestHeader set X-Underscored-Header %{fix_header}e env=fix_header

Andreas Stieger <>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.