Bug 989569 (CVE-2016-1000107) - VUL-2: erlang: CVE-2016-1000107: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Summary: VUL-2: erlang: CVE-2016-1000107: Setting HTTP_PROXY environment variable via ...
Status: RESOLVED WONTFIX
Alias: CVE-2016-1000107
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Cloud Bugs
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171046/
Whiteboard: CVSSv2:SUSE:CVE-2016-1000107:5.0:(AV...
Keywords:
Depends on:
Blocks: httpoxy
  Show dependency treegraph
 
Reported: 2016-07-19 15:01 UTC by Andreas Stieger
Modified: 2020-12-21 16:13 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-19 15:01:17 UTC 
+++ This bug was initially created as a clone of Bug #988484 +++

http://seclists.org/oss-sec/2016/q3/95

The Vend security team would like to publicly disclose a vulnerability
we've (re)discovered in CGI and PHP web applications. Here's a two line
summary:


   -

   RFC 3875 (CGI) puts the HTTP Proxy header from a request into the
   environment variables as HTTP_PROXY


   -

   HTTP_PROXY is a popular environment variable used to configure an
   outgoing proxy


The consequence is that an attacker can force a proxy of their choice to be
used. This proxy receives the full request for anything sent over HTTP
using a vulnerable client. It can also act in a malicious way to tie up
server resources (a "reverse slowloris").

For the purposes of general disclosure to the wider ecosystem, we've
prepared a website that describes the issue and collects common
mitigations: https://httpoxy.org/ - but I'll continue with some notes below.

Particularly affected is anything using the Guzzle HTTP library for PHP,
but also many other languages and frameworks when deployed under 'real' CGI
(PHP's userspace is basically emulated CGI), including Go's net/http and
Python's requests. This bug appears to be more than 15 years old, and was
fixed in a piecemeal fashion in other software (e.g. curl, libwww-perl,
Ruby).

The good news, however, is that stripping any Proxy request header is easy
(because it is undefined by IETF and not listed in IANA's registry of
message headers) - there should be no standard use for the header at all.

Over the past two weeks, we've disclosed to the language teams affected
(PHP, Python, Go, HHVM), as well as common CGI implementation vendors
(Nginx, Apache). CERT have been involved in this process, and we’ve had the
help of the Red Hat Product Security team. All these teams will probably
have good advisories for their own specific affected software.

The Apache Software Foundation have an advisory available at
https://www.apache.org/security/asf-httpoxy-response.txt

The original discovery in 2001 seems to have been by Randal L. Schwartz.
2016 discovery was made by Scott Geary, research and disclosure
co-ordinated by Dominic Scheirlinck, colleagues of mine.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000107
http://seclists.org/oss-sec/2016/q3/95
Comment 1 Andreas Stieger 2016-07-19 15:01:51 UTC 
Looks like here..
https://github.com/erlang/otp/blob/maint/lib/inets/src/http_server
/httpd_script_env.erl#L125-L126
Comment 3 Swamp Workflow Management 2016-07-19 22:00:57 UTC 
bugbot adjusting priority
Comment 4 Andreas Stieger 2016-07-28 14:09:05 UTC 
Upstream reaction unclear: https://bugs.erlang.org/browse/ERL-198
I see that couchdb uses erlang, but I did not see it reading the environment.
Not requesting an update.