Date: Mon, 18 Jul 2016 08:17:03 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: A CGI application vulnerability for PHP, Go, Python and others Also the current list of CVEs is: CVE-2016-5385 PHP CVE-2016-5386 Go CVE-2016-5387 Apache HTTPD CVE-2016-1000104 mod_fcgi CVE-2016-1000105 Nginx cgi script CVE-2016-5388 Tomcat CVE-2016-1000107 Erlang HTTP Server CVE-2016-1000108 YAWS CVE-2016-1000109 HHVM FastCGI CVE-2016-1000110 Python CGIHandler CVE-2016-1000111 Python twisted there will of course be more. From my Google doc: CVE counting for httpoxy This document essentially discusses the CVE counting strategy for the httpoxy issue. Essentially there are two main cases where a CVE is assigned for the httpoxy issue: 1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable) 2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely) Some examples of situations where a web server, programming language or framework would qualify for a CVE regarding httpoxy: 1. PHP passes the proxy as HTTP_PROXY, as such applications commonly import and use HTTP_* 2. mod_cgi/fast_cgi and related CGI programs set HTTP_PROXY based on the request header 3. An application uses an HTTP request library that trusts HTTP_PROXY resulting in attacker control of requests Some examples of situations where a web server, programming language or framework would NOT qualify for a CVE regarding httpoxy: 1. A web server such as Apache passes the proxy header to a programming language or framework 2. A library trusts HTTP_PROXY, the library does not earn a CVE, the application using it would qualify for a CVE, and generally speaking whatever set the HTTP_PROXY variable would also earn a CVE -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.