Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updat

chicken-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updat

From:	Andy Bennett
Subject:	Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Date:	Sat, 23 Jul 2016 17:17:11 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0

Hi Peter!

Thanks for all your work on this!

> A vulnerability called "httpoxy" has been announced, which affects a
> lot of software (server _and_ client) which speaks the HTTP protocol,
> allowing a man in the middle attack to be made on servers.  The
> spiffy-cgi-handlers and http-client eggs are also affected.
> 
> In short, the CGI specification defines that all HTTP headers should be
> converted to environment variables, after uppercasing them and prefixing
> them with "HTTP_".  Unfortunately, this allows an attacker to pass a
> (nonexistent) "Proxy:" header, which will then be converted to
> "HTTP_PROXY", which happens to be an environment variable which most
> HTTP client programs and libraries support as a way of telling them to
> route all requests through a proxy.  See https://httpoxy.org for more
> information about this attack.
> 
> The http-client egg is vulnerable to such an attack with the default
> value of "determine-proxy" (which is "determine-proxy-from-environment"),
> if it is used in a CGI program.  This situation only occurs if this
> process is invoked by a HTTP server which converts the Proxy header as a
> HTTP_PROXY environment variable.  The spiffy-cgi-handlers egg will do
> that in the default setup.
> 
> If your CGI scripts are not using http-client, they may still be
> vulnerable depending on which HTTP client library or application
> you are using.
> 
> These bugs have been fixed in http-client 0.10 and
> spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
> 
> 
> If you are unable to update, both eggs provide sufficient hooks to fix
> this in user code, without patching the eggs:
> 
> In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
> cgi-default-environment parameter:
> 
> (cgi-default-environment
>    (cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
> 
> This has precedence over the dynamically determined environment list
> which converts the "Proxy" header to "HTTP_PROXY".
> 
> In http-client, you can disable or override the determine-proxy parameter
> with a custom procedure:
> 
> (use data-structures)
> (determine-proxy (constantly #f))
> 
> The updated versions of spiffy-cgi-handlers and http-client should be
> available shortly.
> 
> Kind regards,
> Peter Bex
> 
> 
> 
> _______________________________________________
> Chicken-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/chicken-users
> 





Regards,
@ndy

-- 
address@hidden
http://www.ashurst.eu.org/
0290 DA75 E982 7D99 A51F  E46A 387A 7695 7EBA 75FF

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack, Peter Bex, 2016/07/21
- Re: [Chicken-users] [Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack, Peter Bex, 2016/07/23
- Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack, Andy Bennett <=

Prev by Date: Re: [Chicken-users] [Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Next by Date: [Chicken-users] New Eggs: SRFI-121, SRFI-127, SRFI-133
Previous by thread: Re: [Chicken-users] [Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Next by thread: [Chicken-users] New Eggs: SRFI-121, SRFI-127, SRFI-133
Index(es):
- Date
- Thread