Bug 1353758 (CVE-2016-1000105)

Summary: CVE-2016-1000105 Nginx: fastcgi sets environmental variable based on user supplied Proxy request header
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, bperkins, crrobins, dmoppert, hhorak, jkaluza, jorton, luhliari, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-08 03:02:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1353762    

Description Kurt Seifried 2016-07-07 22:58:48 UTC 
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The Nginx HTTP server contains support for Fast CGI. If passed a “Proxy” header in the request Fast CGI  will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.
Comment 1 Kurt Seifried 2016-07-07 22:58:53 UTC 
Acknowledgments:

Name: Scott Geary (VendHQ)
Comment 2 Doran Moppert 2016-07-08 01:37:16 UTC 
To clarify where the danger lies:

- nginx does not itself support CGI, only FastCGI
- in the FastCGI scenario, nginx does not start the worker process;
  only communicates with it over a socket.  Thus it cannot set env
  variables, and can send HTTP_PROXY safely

Thus FastCGI processes are not vulnerable directly.  See [1].

However, the recommended way to run CGI processes behind nginx at
[2] copies the environment indiscriminately, rendering the CGI
itself vulnerable.  While not part of our supported products, it
is likely some customers are using this technique to expose legacy
CGI apps behind nginx.

[1]: http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html
[2]: https://www.nginx.com/resources/wiki/start/topics/examples/simplecgi/
Comment 3 Kurt Seifried 2016-07-08 03:02:20 UTC 
Closing this as NOTABUG, as the script is the affected component it has gotten a CVE, but we don't ship it and we don't appear to use it so closing this. The CVE will be REJECT'ed.