Bug 988491 (CVE-2016-1000105) - VUL-0: CVE-2016-1000105: nginx: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Summary: VUL-0: CVE-2016-1000105: nginx: Setting HTTP_PROXY environment variable via P...
Status: RESOLVED FIXED
Alias: CVE-2016-1000105
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Stefan Schubert
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: httpoxy
  Show dependency treegraph
 
Reported: 2016-07-12 07:04 UTC by Andreas Stieger
Modified: 2017-05-02 08:20 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-07-12 22:01:38 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-07-18 14:19:01 UTC 
Public at https://httpoxy.org/
  A CGI application vulnerability
for PHP, Go, Python and others

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

    RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
    HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.

httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.
What can happen if my web application is vulnerable?

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

    Proxy the outgoing HTTP requests made by the web application
    Direct the server to open outgoing connections to an address and port of their choosing
    Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.







Pointed out in 2013: https://forum.nginx.org/read.php?2,244407,244485#msg-244485
Comment 3 Marcus Meissner 2016-07-25 09:25:29 UTC 
.
Comment 4 Marcus Rückert 2016-10-19 15:39:19 UTC 
just because i occasionally fix the factory package, doesnt make me the maintainer of the package.

nginx -> webyast -> schubi
Comment 5 Stefan Schubert 2016-11-04 14:24:32 UTC 
Patch submitted to:
https://build.suse.de/request/show/123623
Comment 6 Swamp Workflow Management 2017-01-17 20:10:41 UTC 
SUSE-SU-2017:0190-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 982505,988491
CVE References: CVE-2016-1000105,CVE-2016-4450
Sources used:
SUSE Webyast 1.3 (src):    nginx-1.0-1.0.15-0.34.1
SUSE Studio Onsite 1.3 (src):    nginx-1.0-1.0.15-0.34.1
SUSE Lifecycle Management Server 1.3 (src):    nginx-1.0-1.0.15-0.34.1
Comment 7 Johannes Segitz 2017-01-18 09:27:43 UTC 
unfixed for openSUSE
Comment 8 Marguerite Su 2017-01-24 09:54:50 UTC 
Hello,

I have no access to build.suse.de.

Please reassign to someone else who can actually see the patch.

Marguerite
Comment 9 Marguerite Su 2017-01-26 08:07:03 UTC 
reassigned to Stefan Schubert who has access to SUSE internal build service and can view the fix.
Comment 10 Stefan Schubert 2017-05-02 08:20:28 UTC 
(In reply to Johannes Segitz from comment #7)
> unfixed for openSUSE

I have seen that someone has already fixed it for 42.2 Thanks !