CGIHandler: sets environmental variable based on user supplied Proxy request header

It was discovered that the Python CGIHandler class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP...

SUSE-SU-2016:2090-1 Security update for apache2

This update for apache2 fixes the following issues: - It used to be possible to set an arbitrary $HTTPPROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request CVE-2016-5387. As a result, these server components would...

openSUSE Security Update : squid (openSUSE-2016-988)

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues : - Fixed multiple Denial of Service issues in HTTP Response processing. CVE-2016-2569, CVE-2016-2570, CVE-2016-2571, CVE-2016-2572, bsc968392, bsc968393, bsc968394, bsc968395 - CVE-2016-3947: Buffer...

SUSE-SU-2016:2008-1 Security update for squid

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues: - Fixed multiple Denial of Service issues in HTTP Response processing. CVE-2016-2569, CVE-2016-2570, CVE-2016-2571, CVE-2016-2572, bsc968392, bsc968393, bsc968394, bsc968395 - CVE-2016-3947: Buffer...

PHP 5.5.x < 5.5.38 / 5.6.x < 5.6.24 / 7.0.x < 7.0.9 Multiple Vulnerabilities

Binary data 9460.prm...

openSUSE Security Update : php5 (openSUSE-2016-921) (httpoxy)

This update for php5 fixes the following issues : - It is possible to launch a web server with 'php -S localhost:8080' It used to be possible to set an arbitrary $HTTPPROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request...

Go: sets environmental variable based on user supplied Proxy request header

An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable "HTTPPROXY" using the incoming "Proxy" HTTP-request header. The environment variable "HTTPPROXY" is used by numerous web clients, including Go's net/http package,...

Updated apache packages fix security vulnerability

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

PHP < 5.6.24, 7.x <= 7.0.8 Multiple Vulnerabilities (Jul 2016) - Windows

PHP is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:php:php"; if description...

Apache HTTP Server Man-in-the-Middle Attack Vulnerability (Jul 2016) - Linux

Apache HTTP Server is prone to a man-in-the-middle attack vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Using free http proxy IP for the network scanning-vulnerability warning-the black bar safety net

How from free proxy IP, find a vulnerability, here is my definition of discovered vulnerabilities, is because I personally feel that this vulnerability is a technical comparison of the difference, the more likely is the discovery, analysis, and summary. As a Information Security for the novice, b...

Drupal 8.x < 8.1.7 PHP HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)

The version of Drupal running on the remote web server is 8.x prior to 8.1.7. It is, therefore, affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTPPROXY environment variable ...

SUSE-SU-2016:1842-1 Security update for php5

This update for php5 fixes the following issues: It is possible to launch a web server with 'php -S localhost:8080' It used to be possible to set an arbitrary $HTTPPROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request...

[SECURITY] [DSA 3623-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3623-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 20, 2016 https://www.debian.org/security/faq -...

CVE-2016-5386

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI...

Design/Logic Flaw

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI...

GO Language httpoxy Remote Proxy Infection Vulnerability

Go language is the second open source programming language released by Google. httpoxy is a set of vulnerabilities that affect application code running in a CGI environment. The vulnerabilities exist primarily in multiple web servers, web frameworks, and programming languages. The Proxy field nam...

CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)

Namespace conflict related to HTTP proxy headers allows an attacker to configure the HTTPPROXY environment variable. A successful exploitation might allow an attacker to launch a man-in-the-middle attack and redirect traffic to an arbitrary host...

FreeBSD : Multiple ports -- Proxy HTTP header vulnerability (httpoxy) (cf0b5668-4d1b-11e6-b2ec-b499baebfeaf)

httpoxy.org reports : httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:. - RFC 3875 CGI puts the HTTP Proxy header from a request into the environment variables as HTTPPROXY - HTTPPROXY is a...

HTTP Proxy header vulnerability

Bug Fixes Removed support for using HTTPPROXY environment variable for non-CLI apps per CVE-2016-5385 httpoxy. Graham Campbell 143 145 Convert BUGSNAGNOTIFYRELEASESTAGES to a comma-delimited array Jason Graham Campbell 142 144...