Bugzilla – Bug 988486
VUL-0: CVE-2016-5385: php7,php5,php53: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Last modified: 2018-01-18 00:38:28 UTC
bugbot adjusting priority
There is also a PHP function apache-request-headers(), http://php.net/manual/en/function.apache-request-headers.php, that would return a Proxy: ... header to user code if the request contains one. It's unclear yet whether that function should or should not return a Proxy header (i.e. should we patch it or not).
The versions of php5/php53 in SLE-11 don't have the file php_cli_server.c which means the package php5 is unaffected in SLE-11 and the package php53 is not affected at all.
PHP5 is *not* vulnerable to httpoxy when it's run by Apache using either the CGI, FastCGI, or module interface. In other words, with apache2 fixed PHP is safe. The only thing that is vulnerable to the CLI test web server, which the attached patch addresses. To test this, simply have PHP display a page test.php that says <?php phpinfo() ?> and pass it a Proxy header through netcat: $ netcat localhost 8080 <<EOF GET http://localhost:8080/test.php HTTP/0.9 Host: localhost Foo: this is the foo header Proxy: example.org S-PROXY: example.org EOF The output contains <tr><td class="e">HTTP_HOST </td><td class="v">localhost </td></tr> <tr><td class="e">HTTP_FOO </td><td class="v">this is the foo header </td></tr> <tr><td class="e">HTTP_S_PROXY </td><td class="v">example.org </td></tr> <tr><td class="e">_SERVER["HTTP_HOST"]</td><td class="v">localhost</td></tr> <tr><td class="e">_SERVER["HTTP_FOO"]</td><td class="v">this is the foo header</td></tr> <tr><td class="e">_SERVER["HTTP_S_PROXY"]</td><td class="v">example.org</td></tr> but no HTTP_PROXY is set inside of PHP.
From CERT: We have received a report of a vulnerability affecting web servers that run code in a CGI or CGI-like context. We are tracking this as VU#797896, please retain VU#797896 in the subject of any email reply. Note that if you have already received information about "httpoxy," then this notification may be redundant. Public disclosure is scheduled for next Monday, 18 July 2016, at 10:00 AM EST. Per the original report: """ RFC 3875 (CGI) puts any HTTP 'Proxy' header present in a request into the environment as HTTP_PROXY. HTTP_PROXY has also become a popular environment variable used to configure an outgoing proxy. It is this namespace conflict that forms the basis of all the vulnerabilities. The remote attacker can redirect or man-in-the-middle internal HTTP subrequests, or direct the server to open outgoing connections to an address and port of their choosing. """ Both of the following are necessary to be considered vulnerable: 1. A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable). 2. A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely). The CERT/CC will be tracking vendor statuses for this issue. Please let us know whether your products are affected and if you would like for a statement to be included in our vulnerability note. Regards, Joel Land Vulnerability Analysis Team ============================== CERT Coordination Center www.cert.org / cert@cert.org ============================== Public at https://httpoxy.org/
How to re-produce the httpoxy issue in the internal web server: 1. Save the string "<?php phpinfo() ?>" into a file called test.php. 2. In the same directory, run "php -S localhost:8080". 3. Access http://localhost:8080/ in a web browser to check that the server is up. 4. Send the following command with netcat: $ netcat >output.txt localhost 8080 <<EOF GET /test.php HTTP/1.0 Host: localhost Foo: this is the foo header Proxy: example.org S-PROXY: example.org EOF 5. The generated output file lists the HTTP_PROXY variable: $ grep HTTP output.txt HTTP/1.0 200 OK <tr><td class="e">Server API </td><td class="v">Built-in HTTP server </td></tr> <tr><td class="e">_SERVER["SERVER_PROTOCOL"]</td><td class="v">HTTP/1.0</td></tr> <tr><td class="e">_SERVER["HTTP_HOST"]</td><td class="v">localhost</td></tr> <tr><td class="e">_SERVER["HTTP_FOO"]</td><td class="v">this is the foo header</td></tr> <tr><td class="e">_SERVER["HTTP_PROXY"]</td><td class="v">example.org</td></tr> <tr><td class="e">_SERVER["HTTP_S_PROXY"]</td><td class="v">example.org</td></tr> If HTTP_PROXY exists, the server is vulnerable.
In step 3, access http://localhost:8080/test.php, of course.
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-68.1
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-56.1
php7 is also affected and still needs a fix.
Please look at sr#123422.
looks good ,thanks
Request have been accepted.
SUSE-SU-2016:2941-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1008029,988486 CVE References: CVE-2016-5385,CVE-2016-9137 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): php7-7.0.7-25.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-25.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-25.1
openSUSE-SU-2016:3092-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1008029,988486 CVE References: CVE-2016-5385,CVE-2016-9137 Sources used: openSUSE Leap 42.2 (src): php7-7.0.7-6.2
released
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-02-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63367