[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of twisted?



Hi,

I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header.

Free

On 5 August 2016 at 10:26, Brian May <bam@debian.org> wrote:
This security vulnerability is described here:

https://bugzilla.redhat.com/show_bug.cgi?id=1357345

as:

"sets environmental variable based on user supplied Proxy request
header"

In particular it is talking about HTTP_PROXY, and it only a problem if
the server makes an outgoing HTTP request using this value.

Looking at this, I am inclined to say this isn't a security issue in
twisted itself, rather some unspecified applications that use twisted.

Just trying to double check this. I can't find any references
(case-insensitive) of "HTTP_PROXY" in the twisted source however.

This appears to be confirmed by the first sentence in the redhat bug
report:

"Many software projects and vendors have implemented support for the
“Proxy” request header in their respective CGI implementations and
languages by creating the “HTTP_PROXY” environmental variable based on
the header value."

There are a number of projects in Debian that use twisted, should we
check each one?

Sure would be good if I had an example application that was confirmed
vulnerable.
--
Brian May <bam@debian.org>


Reply to: