Courtesy bug from the SUSE Security team against devel:languages:erlang/yaws

https://marc.info/?l=oss-security&m=146885145004975&w=2

From https://httpoxy.org/

 A CGI application vulnerability
for PHP, Go, Python and others

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

    RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
    HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.

httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.
What can happen if my web application is vulnerable?

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

    Proxy the outgoing HTTP requests made by the web application
    Direct the server to open outgoing connections to an address and port of their choosing
    Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000108
http://seclists.org/oss-sec/2016/q3/95
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000108.html