[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: httpoxy efforts? (and is it "much" more than just HTTP_PROXY?)


On Wed, 2016-07-20 at 08:14 +0000, Holger Levsen wrote:
> your email doesnt mention whether you searched the BTS for relevant
> bugs
> about these issues. Have you?
Oh, of course I did... but at least I couldn't find any in the more
higher priority sections.
I don't see anything yet with respect to at least php 7.0 (if there's
actually anything going to be done on that layer.

At least there's now a DSA out for apache httpd.
But of course this may affect every other system (e.g. webserver) that
takes request headers which aren't somehow trusted/checked from a
client and exports them to 3rd party programs which may use the names.

Further I've had opened https://bz.apache.org/bugzilla/show_bug.cgi?id=59886
Basically asking Apache upstream whether it could make sense to block
the env var also at suexec level.
While it's not that important for Apache (which now blocks the header
anyway itself) others may use suexec as sanitiser for CGIs in other
contexts (though I have no idea whether this is actually don or not).

Also, quoting myself from https://bz.apache.org/bugzilla/show_bug.cgi?id=59886#c5:
>Isn't the problem below httpoxy actually "much" bigger, at least in
>Who says that there aren't any further scripts out there (which are
>run from webservers, which export HTTP_<header> vars), which make use
>of such names?
>HTTP_* is pretty generic and by no means anything one would need to
>assume that "belongs" to CGI, or to webserver-set variables that
>aren't to be trusted.
>There could be a HTTP_MODE variable which takes e.g. "plain" or "ssl"
>and causes the program in question to make further connections plain
>(and possibly insecure) when the attacker can overwrite it with an
>Not sure if this breaks many scripts, but it rather seems to me, as if
>webservers should per default not export *any* untrusted HTTP request
>headers as envvars, at least as long as this doesn't happen below a
>sufficiently obvious namespace (e.g.
>SET_BY_WEBSERVER_AND_INSECURE_<header name> or so ;-) ...

If had a small mail conversion with Dominic Scheirlinck (one of the
"original" people discovering that issue), and in principle he seemed
to confirm that the above could happen, while of course it's less
likely than with http_proxy which has been some kind of semi-standard
for years now.

What do you think?


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: