Bug 1360638 (CVE-2016-1000212)

Summary: CVE-2016-1000212 lighttpd: sets environmental variable based on user supplied Proxy request header
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, gwync, rhbugs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 08:43:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1360640, 1360641    
Bug Blocks:    

Description Adam Mariš 2016-07-27 08:42:41 UTC 
Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.

lighttpd fix:

https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff
Comment 1 Adam Mariš 2016-07-27 08:43:07 UTC 
Created lighttpd tracking bugs for this issue:

Affects: fedora-all [bug 1360640]
Affects: epel-all [bug 1360641]