Bug 1353794 (CVE-2016-5385)
| Summary: | CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anemec, dmoppert, hhorak, jorton, kseifried, rcollet, sardella, security-response-team, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-12 08:34:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1356511, 1356512, 1356513, 1356514, 1356515, 1356516, 1358694, 1358695, 1358696, 1359157, 1359158, 1359159 | ||
| Bug Blocks: | 1353762 | ||
|
Description
Kurt Seifried
2016-07-08 03:17:13 UTC
Acknowledgments: Name: Scott Geary (VendHQ) There are several possible deployment scenarios for PHP. Under the most common (apache + mod_php(sapi)), it appears to be safe:
- HTTP_PROXY makes it into $_SERVER, but not $_ENV
- builtin curl functions are not affected
- the variable does not leak into subprocesses through exec() or system()
This covers the most likely vectors.
The client-provided value is returned by php function getenv('HTTP_PROXY') or getenv('http_proxy') (the argument is case-insensitive), which may still lead to vulnerabilities in naively-written modules which expect this function to be similar to libc's getenv(3).
php in CGI configuration:
- HTTP_PROXY makes it into the process environment
- also into subprocesses through system()/exec()
- builtin libcurl only honours http_proxy, but not HTTP_PROXY
Tested with apache:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
Action application/x-httpd-php /cgi-bin/php-cgi
(In reply to Doran Moppert from comment #2) > This covers the most likely vectors. > > The client-provided value is returned by php function getenv('HTTP_PROXY') > or getenv('http_proxy') (the argument is case-insensitive), which may still > lead to vulnerabilities in naively-written modules which expect this > function to be similar to libc's getenv(3). Note that the original reporter argues that the use of getenv('HTTP_PROXY') may not be as unlikely as it might seem, providing Guzzle HTTP client as an example of a widely used PHP application affected by this issue in the mod_php use case. https://github.com/guzzle/guzzle/blob/443a7a62/src/Client.php#L166 getenv is case sensitive on Linux (can insensitive only on Windows) (In reply to Remi Collet from comment #9) > getenv is case sensitive on Linux (can insensitive only on Windows) Are you referring to this Doran's comment? (In reply to Doran Moppert from comment #2) > The client-provided value is returned by php function getenv('HTTP_PROXY') > or getenv('http_proxy') (the argument is case-insensitive), Apparently, PHP's getenv() is case insensitive under mod_php (apache2handler), but sensitive under CGI (cgi-fcgi). There does not seem to be a difference between real process environment and SAPI environment, so getenv('path') and getenv('http_proxy') return the same result as getenv('PATH') and getenv('HTTP_PROXY'). Upstream commit http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec Additional commit adding a FPM unit test (5.6+) http://git.php.net/?p=php-src.git;a=commit;h=fb4a6dc0f1df106dae84c9d8f3ec53cc0da7231b This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1610 https://rhn.redhat.com/errata/RHSA-2016-1610.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1612 https://rhn.redhat.com/errata/RHSA-2016-1612.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1611 https://rhn.redhat.com/errata/RHSA-2016-1611.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1609 https://rhn.redhat.com/errata/RHSA-2016-1609.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1613 https://rhn.redhat.com/errata/RHSA-2016-1613.html |