[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updat
Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Sat, 23 Jul 2016 17:17:11 +0100
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0
Thanks for all your work on this!
> A vulnerability called "httpoxy" has been announced, which affects a
> lot of software (server _and_ client) which speaks the HTTP protocol,
> allowing a man in the middle attack to be made on servers. The
> spiffy-cgi-handlers and http-client eggs are also affected.
> In short, the CGI specification defines that all HTTP headers should be
> converted to environment variables, after uppercasing them and prefixing
> them with "HTTP_". Unfortunately, this allows an attacker to pass a
> (nonexistent) "Proxy:" header, which will then be converted to
> "HTTP_PROXY", which happens to be an environment variable which most
> HTTP client programs and libraries support as a way of telling them to
> route all requests through a proxy. See https://httpoxy.org for more
> information about this attack.
> The http-client egg is vulnerable to such an attack with the default
> value of "determine-proxy" (which is "determine-proxy-from-environment"),
> if it is used in a CGI program. This situation only occurs if this
> process is invoked by a HTTP server which converts the Proxy header as a
> HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do
> that in the default setup.
> If your CGI scripts are not using http-client, they may still be
> vulnerable depending on which HTTP client library or application
> you are using.
> These bugs have been fixed in http-client 0.10 and
> spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
> If you are unable to update, both eggs provide sufficient hooks to fix
> this in user code, without patching the eggs:
> In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
> cgi-default-environment parameter:
> (cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
> This has precedence over the dynamically determined environment list
> which converts the "Proxy" header to "HTTP_PROXY".
> In http-client, you can disable or override the determine-proxy parameter
> with a custom procedure:
> (use data-structures)
> (determine-proxy (constantly #f))
> The updated versions of spiffy-cgi-handlers and http-client should be
> available shortly.
> Kind regards,
> Peter Bex
> Chicken-users mailing list
0290 DA75 E982 7D99 A51F E46A 387A 7695 7EBA 75FF
Description: OpenPGP digital signature