[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updat

From: Andy Bennett
Subject: Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Date: Sat, 23 Jul 2016 17:17:11 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0

Hi Peter!

Thanks for all your work on this!

> A vulnerability called "httpoxy" has been announced, which affects a
> lot of software (server _and_ client) which speaks the HTTP protocol,
> allowing a man in the middle attack to be made on servers.  The
> spiffy-cgi-handlers and http-client eggs are also affected.
> In short, the CGI specification defines that all HTTP headers should be
> converted to environment variables, after uppercasing them and prefixing
> them with "HTTP_".  Unfortunately, this allows an attacker to pass a
> (nonexistent) "Proxy:" header, which will then be converted to
> "HTTP_PROXY", which happens to be an environment variable which most
> HTTP client programs and libraries support as a way of telling them to
> route all requests through a proxy.  See for more
> information about this attack.
> The http-client egg is vulnerable to such an attack with the default
> value of "determine-proxy" (which is "determine-proxy-from-environment"),
> if it is used in a CGI program.  This situation only occurs if this
> process is invoked by a HTTP server which converts the Proxy header as a
> HTTP_PROXY environment variable.  The spiffy-cgi-handlers egg will do
> that in the default setup.
> If your CGI scripts are not using http-client, they may still be
> vulnerable depending on which HTTP client library or application
> you are using.
> These bugs have been fixed in http-client 0.10 and
> spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
> If you are unable to update, both eggs provide sufficient hooks to fix
> this in user code, without patching the eggs:
> In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
> cgi-default-environment parameter:
> (cgi-default-environment
>    (cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
> This has precedence over the dynamically determined environment list
> which converts the "Proxy" header to "HTTP_PROXY".
> In http-client, you can disable or override the determine-proxy parameter
> with a custom procedure:
> (use data-structures)
> (determine-proxy (constantly #f))
> The updated versions of spiffy-cgi-handlers and http-client should be
> available shortly.
> Kind regards,
> Peter Bex
> _______________________________________________
> Chicken-users mailing list
> address@hidden


0290 DA75 E982 7D99 A51F  E46A 387A 7695 7EBA 75FF

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]