PHP: sets environmental variable based on user supplied Proxy request header

It was discovered that PHP did not properly protect against the HTTPPROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request...

[SECURITY] [DSA 3642-1] lighttpd security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3642-1 [email protected] https://www.debian.org/security/ Sebastien Delafond August 05, 2016 https://www.debian.org/security/faq -...

DSA-3642-1 lighttpd - security update

Bulletin has no description...

Debian DLA-583-1 : lighttpd security update

Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTPPROXY environment variables. This could be used to carry out Man in the Middle Attacks MIDM or create connections to...

[SECURITY] [DLA 583-1] lighttpd security update

Package : lighttpd Version : 1.4.31-4+deb7u5 CVE ID : CVE-2016-1000212 Debian Bug : 832571 Dominic Scheirlinck and Scott Geary of Vend reported an insecure behaviour in the lighttpd web server. Lighttpd assigned Proxy header values from client requests to internal HTTPPROXY environment variables...

Go: sets environmental variable based on user supplied Proxy request header

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTPPROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTPPROXY" is used by numerous web clients, including Go's net/http package,...

DLA-583-1 lighttpd - security update

Bulletin has no description...

Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)

Tomcat's CGI support used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibl...

DSA-3623-1 apache2 - security update

Bulletin has no description...

Medium: tomcat6, tomcat7, tomcat8

Issue Overview: Tomcat's CGI support used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attack...

DLA-553-1 apache2 - security update

Bulletin has no description...

ALPINE-CVE-2016-5387

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary...

DEBIAN-CVE-2016-5387

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary...

CVE-2016-5387

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary...

Apache Tomcat suffers from httpoxy remote proxy infection vulnerability

Apache Tomcat is the United States Apache Apache Software Foundation under the Jakarta project of a lightweight Web application server, which is mainly used for the development and debugging of JSP programs for small and medium-sized systems. httpoxy is a set of vulnerabilities that affect...

Python has a httpoxy remote proxy infection vulnerability

Python is an open source, object-oriented programming language from the Python Software Foundation. httpoxy is a set of vulnerabilities that affect application code running in a CGI environment. The vulnerabilities exist primarily in multiple web servers, web frameworks, and programming languages...

Apache HTTP Server suffers from httpoxy remote proxy infection vulnerability

Apache HTTP Server is the United States Apache Apache Software Foundation, an open source web server. The server is fast, reliable and can be expanded through a simple API. httpoxy is a set of vulnerabilities that affect application code running in a CGI environment. The vulnerabilities exist...

RedHat Update for httpd RHSA-2016:1422-01

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

FreeBSD : Multiple ports -- Proxy HTTP header vulnerability (httpoxy) (cf0b5668-4d1b-11e6-b2ec-b499baebfeaf)

httpoxy.org reports : httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:. - RFC 3875 CGI puts the HTTP Proxy header from a request into the environment variables as HTTPPROXY - HTTPPROXY is a...

USN-3038-1 apache2 vulnerability

It was discovered that the Apache HTTP Server would set the HTTPPROXY environment variable based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with CGI scripts that honour the HTTPPROXY variable to redirect outgoing HTTP...