Bugzilla – Bug 988492
VUL-0: CVE-2016-1000104: apache2-mod_fcgid: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Last modified: 2016-07-27 16:00:32 UTC
bugbot adjusting priority
This should be reproducible in the same way as https://bugzilla.suse.com/show_bug.cgi?id=988488 but using mod_fcgid instead of mod_cgid
Courtesy of @osukup, FastCGI echo reposonders can be found at https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html#examples.
public at https://httpoxy.org/ Quoting from https://www.apache.org/security/asf-httpoxy-response.txt Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896 Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt Publication: v1.0 18 July 2016 Audience -------- This Advisory is directed to HTTP web server administrators and users of the software indicated below, including CGI developers. This Advisory is not directed to a general audience, especially web browser users. The issues raised by the "httpoxy" class of vulnerabilities affect web servers, and are not an issue for consumers of web services to address. Background ---------- The ASF (Apache Software Foundation) offers a number of software packages which offer HTTP protocol ("Web") requests and responses, and offer the developer or admininstrator CGI (Common Gateway Interface) routing through these software packages. The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and Apache Tomcat projects all offer CGI handling of HTTP requests. The Apache Traffic Server proxies HTTP requests, but offers no CGI support. Many other ASF projects utilize the HTTP protocol, but at this time we have not identified any which provide CGI handling, or forward the HTTP "Proxy:" header implicated in the "httpoxy" class of issues. In the event that other projects discover such a defect, or can contribute to mitigating this class of issues, this Advisory will be updated. Note especially that PHP (http://www.php.net) is not an Apache Software Foundation project (this is a common point of confusion), and that this Advisory does not attempt to address third-party software, scripts, libraries or components affected by the "httpoxy" group of issues. See https://httpoxy.org/ (not affiliated with the ASF) for a complete discussion of the "httpoxy" class of issues, which are not reiterated in this advisory. The Apache Software Foundation wishes to thank Dominic Scheirlinck and Scott Geary of Vend for bringing this issue to the attention of the ASF Security Team for a well-coordinated community response. Apache HTTP Server (httpd) -------------------------- [...] Apache HTTP Server (mod_fcgid) ------------------------------ Either mitigation listed above for Apache HTTP Server (httpd) guidance above also mitigates all risks for CGI's which are invoked by mod_fcgid. Therefore any CVE with respect to mod_fcgid is revoked as duplicate of CVE-2016-5387. *** This bug has been marked as a duplicate of bug 988488 ***
SUSE-SU-2016:1820-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988492 CVE References: CVE-2016-1000104 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-mod_fcgid-2.2-31.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-mod_fcgid-2.2-31.29.1
.
This is an autogenerated message for OBS integration: This bug (988492) was mentioned in https://build.opensuse.org/request/show/415415 13.2+42.1 / apache2-mod_fcgid