Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAMqf4yDbXfYqFYHbMnMbrhcYfmjC56ok5+3VvNYfKndtsuECgA@mail.gmail.com>
Date: Tue, 19 Jul 2016 02:00:53 +1200
From: Richard Rowe <arch.richard@...il.com>
To: oss-security@...ts.openwall.com
Subject: A CGI application vulnerability for PHP, Go, Python and others

Hello,

The Vend security team would like to publicly disclose a vulnerability
we've (re)discovered in CGI and PHP web applications. Here's a two line
summary:


   -

   RFC 3875 (CGI) puts the HTTP Proxy header from a request into the
   environment variables as HTTP_PROXY


   -

   HTTP_PROXY is a popular environment variable used to configure an
   outgoing proxy


The consequence is that an attacker can force a proxy of their choice to be
used. This proxy receives the full request for anything sent over HTTP
using a vulnerable client. It can also act in a malicious way to tie up
server resources (a "reverse slowloris").

For the purposes of general disclosure to the wider ecosystem, we've
prepared a website that describes the issue and collects common
mitigations: https://httpoxy.org/ - but I'll continue with some notes below.

Particularly affected is anything using the Guzzle HTTP library for PHP,
but also many other languages and frameworks when deployed under 'real' CGI
(PHP's userspace is basically emulated CGI), including Go's net/http and
Python's requests. This bug appears to be more than 15 years old, and was
fixed in a piecemeal fashion in other software (e.g. curl, libwww-perl,
Ruby).

The good news, however, is that stripping any Proxy request header is easy
(because it is undefined by IETF and not listed in IANA's registry of
message headers) - there should be no standard use for the header at all.

Over the past two weeks, we've disclosed to the language teams affected
(PHP, Python, Go, HHVM), as well as common CGI implementation vendors
(Nginx, Apache). CERT have been involved in this process, and we’ve had the
help of the Red Hat Product Security team. All these teams will probably
have good advisories for their own specific affected software.

The Apache Software Foundation have an advisory available at
https://www.apache.org/security/asf-httpoxy-response.txt

The original discovery in 2001 seems to have been by Randal L. Schwartz.
2016 discovery was made by Scott Geary, research and disclosure
co-ordinated by Dominic Scheirlinck, colleagues of mine.

Regards,
Richard

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.