Open Redirection

php is vulnerable to open redirection. It was discovered that PHP did not properly protect against the HTTPPROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request...

Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.25. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the modsessioncrypto module due to encryption for data and cookies using the configured ciphers with possibly either...

Security Bulletin: A vulnerability in lighttpd affects PowerKVM (CVE-2016-1000212)

Summary PowerKVM is affected by a vulnerability in lighttpd. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2016-1000212 DESCRIPTION: lighttpd could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from...

Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840

Summary There are vulnerabilities in Apache Tomcat to which the IBM® FlashSystem™ V840 is susceptible. An exploit of these vulnerabilities CVE-2016-3092, CVE-2016-5385, CVE-5386, CVE-2016-5387, and CVE-2016-5388 could allow a remote attacker to wage a denial of service attack or redirect outbound...

Security Bulletin: IBM Security Access Manager is affected by vulnerabilities in Python (CVE-2016-0772, CVE-2016-5699, CVE-2016-1000110)

Summary Vulnerabilities have been identified in Python. IBM Security Access Manager appliances use Python and are affected by these vulnerabilities. Vulnerability Details CVEID: CVE-2016-0772 DESCRIPTION: Python's smtplib library is vulnerable to a stripping attack. An exception isn't returned by...

Important: Red Hat Security Advisory: Red Hat Satellite 6 security, bug fix, and enhancement update

An update is now available for Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity ratin...

Security Advisory - A CGI application vulnerability in Some Huawei Products

Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an...

Updated apache-mod_fcgid packages fix security vulnerability

A remote attacker could have set the HTTPPROXY environment variable of CGI scripts CVE-2016-1000104...

MGASA-2017-0203 Updated apache-mod_fcgid packages fix security vulnerability

A remote attacker could have set the HTTPPROXY environment variable of CGI scripts CVE-2016-1000104...

Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache : - A flaw exists in the modsessioncrypto module due to encryption for data and cookies using the configured...

Updated perl-CGI-Emulate-PSGI packages fix security vulnerability

This update removes the setting of the HTTPPROXY environment value. This works around the httproxy vulnerability aka CVE-2016-5387...

MGASA-2017-0146 Updated perl-CGI-Emulate-PSGI packages fix security vulnerability

This update removes the setting of the HTTPPROXY environment value. This works around the httproxy vulnerability aka CVE-2016-5387...

duo -- Two-factor authentication bypass

The duo security team reports: An untrusted user may be able to set the httpproxy variable to an invalid address. If this happens, this will trigger the configured 'failmode' behavior, which defaults to safe. Safe mode causes the authentication to report a success...

EulerOS 2.0 SP1 : python (EulerOS-SA-2016-1036)

According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the Python CGIHandler class did not properly protect against the HTTPPROXY variable name clash in a CGI context. A remote...

SUSE-SU-2017:0728-1 Security update for lighttpd

This update for lighttpd fixes the following issues: Security issues fixed: - CVE-2016-1000212: don't allow requests to set the HTTPPROXY variable. As CGI apps might pick it up and use it for outgoing requests bsc990847. - CVE-2015-3200: log injection via malformed base64 string in Authentication...

USN-3177-1: Tomcat vulnerabilities

It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. CVE-2016-0762 Alvaro Muno...

CVE-2016-6287

The "http-client" egg always used a HTTPPROXY environment variable to determine whether HTTP traffic should be routed via a proxy, even when running as a CGI process. Under several web servers this would mean a user-supplied "Proxy" header could allow an attacker to direct all HTTP requests throu...

CVE-2016-6286

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTPPROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server also known as a "httpoxy" attack. This affects all...

CVE-2016-6286

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTPPROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server also known as a "httpoxy" attack. This affects all...

CVE-2016-6287

The CVE-2016-6287 entry concerns the CHICKEN http-client egg. The vulnerability arises because the http-client used the HTTP_PROXY environment variable to decide whether to route HTTP traffic via a proxy, even in CGI contexts. This allowed a user-supplied Proxy header under several web servers to...