Jiri B
2016-07-19 09:32:43 UTC
Hi,
Red Hat found a vulnerability in various web servers and frameworks
related to env variable passed to cgi scripts, see below:
HTTPoxy - CGI "HTTP_PROXY" variable name clash
https://access.redhat.com/security/vulnerabilities/httpoxy
I was able to reproduce on OpenBSD httpd/slowcgi (6.0-beta from Jul 1).
j.
~~~
# slowcgi -d
slowcgi: socket: /var/www/run/slowcgi.sock
slowcgi: slowcgi_user: www
slowcgi: chroot: /var/www
slowcgi: inflight incremented, now 1
slowcgi: version: 1
slowcgi: type: 1
slowcgi: requestId: 1
slowcgi: contentLength: 8
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: role 1
slowcgi: flags 0
slowcgi: version: 1
slowcgi: type: 4
slowcgi: requestId: 1
slowcgi: contentLength: 448
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: env[0], PATH_INFO=
slowcgi: env[1], SCRIPT_NAME=/cgi-bin/testovic
slowcgi: env[2], SCRIPT_FILENAME=//cgi-bin/testovic
slowcgi: env[3], QUERY_STRING=
slowcgi: env[4], DOCUMENT_ROOT=/
slowcgi: env[5], DOCUMENT_URI=/cgi-bin/testovic
slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1
slowcgi: env[7], HTTP_ACCEPT=*/*
slowcgi: env[8], HTTP_HOST=localhost
slowcgi: env[9], HTTP_PROXY=AFFECTED
slowcgi: env[10], HTTP_USER_AGENT=curl/7.49.0
slowcgi: env[11], REMOTE_ADDR=127.0.0.1
slowcgi: env[12], REMOTE_PORT=30357
slowcgi: env[13], REQUEST_METHOD=GET
slowcgi: env[14], REQUEST_URI=/cgi-bin/testovic
slowcgi: env[15], SERVER_ADDR=127.0.0.1
slowcgi: env[16], SERVER_PORT=80
slowcgi: env[17], SERVER_NAME=default
slowcgi: env[18], SERVER_PROTOCOL=HTTP/1.1
slowcgi: env[19], SERVER_SOFTWARE=OpenBSD httpd
slowcgi: version: 1
slowcgi: type: 4
slowcgi: requestId: 1
slowcgi: contentLength: 0
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: fork: //cgi-bin/testovic
slowcgi: version: 1
slowcgi: type: 5
slowcgi: requestId: 1
slowcgi: contentLength: 0
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 6
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 47
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 6
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 0
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 7
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 0
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: wait: //cgi-bin/testovic
slowcgi: resp version: 1
slowcgi: resp type: 3
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 8
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp appStatus: 0
slowcgi: resp protocolStatus: 0
$ curl -H 'Proxy: AFFECTED' http://localhost/cgi-bin/testovic
HTTP_PROXY='AFFECTED'
$ cat /var/www/cgi-bin/testovic
#!/bin/sh
echo "Content-Type:text/plain "
echo "HTTP_PROXY='$HTTP_PROXY'"
~~~
Red Hat found a vulnerability in various web servers and frameworks
related to env variable passed to cgi scripts, see below:
HTTPoxy - CGI "HTTP_PROXY" variable name clash
https://access.redhat.com/security/vulnerabilities/httpoxy
I was able to reproduce on OpenBSD httpd/slowcgi (6.0-beta from Jul 1).
j.
~~~
# slowcgi -d
slowcgi: socket: /var/www/run/slowcgi.sock
slowcgi: slowcgi_user: www
slowcgi: chroot: /var/www
slowcgi: inflight incremented, now 1
slowcgi: version: 1
slowcgi: type: 1
slowcgi: requestId: 1
slowcgi: contentLength: 8
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: role 1
slowcgi: flags 0
slowcgi: version: 1
slowcgi: type: 4
slowcgi: requestId: 1
slowcgi: contentLength: 448
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: env[0], PATH_INFO=
slowcgi: env[1], SCRIPT_NAME=/cgi-bin/testovic
slowcgi: env[2], SCRIPT_FILENAME=//cgi-bin/testovic
slowcgi: env[3], QUERY_STRING=
slowcgi: env[4], DOCUMENT_ROOT=/
slowcgi: env[5], DOCUMENT_URI=/cgi-bin/testovic
slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1
slowcgi: env[7], HTTP_ACCEPT=*/*
slowcgi: env[8], HTTP_HOST=localhost
slowcgi: env[9], HTTP_PROXY=AFFECTED
slowcgi: env[10], HTTP_USER_AGENT=curl/7.49.0
slowcgi: env[11], REMOTE_ADDR=127.0.0.1
slowcgi: env[12], REMOTE_PORT=30357
slowcgi: env[13], REQUEST_METHOD=GET
slowcgi: env[14], REQUEST_URI=/cgi-bin/testovic
slowcgi: env[15], SERVER_ADDR=127.0.0.1
slowcgi: env[16], SERVER_PORT=80
slowcgi: env[17], SERVER_NAME=default
slowcgi: env[18], SERVER_PROTOCOL=HTTP/1.1
slowcgi: env[19], SERVER_SOFTWARE=OpenBSD httpd
slowcgi: version: 1
slowcgi: type: 4
slowcgi: requestId: 1
slowcgi: contentLength: 0
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: fork: //cgi-bin/testovic
slowcgi: version: 1
slowcgi: type: 5
slowcgi: requestId: 1
slowcgi: contentLength: 0
slowcgi: paddingLength: 0
slowcgi: reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 6
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 47
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 6
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 0
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp version: 1
slowcgi: resp type: 7
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 0
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: wait: //cgi-bin/testovic
slowcgi: resp version: 1
slowcgi: resp type: 3
slowcgi: resp requestId: 1
slowcgi: resp contentLength: 8
slowcgi: resp paddingLength: 0
slowcgi: resp reserved: 0
slowcgi: resp appStatus: 0
slowcgi: resp protocolStatus: 0
$ curl -H 'Proxy: AFFECTED' http://localhost/cgi-bin/testovic
HTTP_PROXY='AFFECTED'
$ cat /var/www/cgi-bin/testovic
#!/bin/sh
echo "Content-Type:text/plain "
echo "HTTP_PROXY='$HTTP_PROXY'"
~~~