public at https://httpoxy.org/


From CERT:

We have received a report of a vulnerability affecting web servers that run code in a CGI or CGI-like context. We are tracking this as VU#797896, please retain VU#797896 in the subject of any email reply.

Note that if you have already received information about "httpoxy," then this notification may be redundant.

Public disclosure is scheduled for next Monday, 18 July 2016, at 10:00 AM EST.

Per the original report:

"""
RFC 3875 (CGI) puts any HTTP 'Proxy' header present in a request into the environment as HTTP_PROXY. HTTP_PROXY has also become a popular environment variable used to configure an outgoing proxy. It is this namespace conflict that forms the basis of all the vulnerabilities.

The remote attacker can redirect or man-in-the-middle internal HTTP subrequests, or direct the server to open outgoing connections to an address and port of their choosing.
"""

Both of the following are necessary to be considered vulnerable:

1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable).

2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely).

The CERT/CC will be tracking vendor statuses for this issue. Please let us know whether your products are affected and if you would like for a statement to be included in our vulnerability note.

Regards,

Joel Land
Vulnerability Analysis Team
==============================
CERT Coordination Center
www.cert.org / cert@cert.org 
==============================





lighttpd fix:

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff


ID	779c133c16f9af168b004dce7a2a64f16c1cb3a4
Parent 	d506f4a5
Child 	1ebc83f1

Added by gstrauss 8 days ago

[security] do not emit HTTP_PROXY to CGI env

Strip bogus "Proxy" header before creating subprocess environment.
(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)

Do not emit HTTP_PROXY to subprocess environment.
Some executables use HTTP_PROXY to configure outgoing proxy.

This is not a lighttpd security issue per se, but this change to
lighttpd adds a layer of defense to protect backend processes which
might be vulnerable due to blindly using this untrusted environment
variable. The HTTP_PROXY environment variable should not be trusted
by a program running in a CGI-like environment.

Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:

    Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
    if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
    Modify lighttpd.conf to load mod_magnet and run lua code
    server.modules += ( "mod_magnet" )
    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )

References:

https://www.kb.cert.org/vuls/id/797896
CGI web servers assign Proxy header values from client requests to
internal HTTP_PROXY environment variables

https://httpoxy.org/
httpoxy: A CGI application vulnerability


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1360638
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000212
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000212.html