It was found that when SCGI protocol is used and an app depends on a header set by trusted server that includes a dash, it is possible for a untrusted remote client to set colliding header, which would appear different to the server and won't be overwriteen but preserved, e.g. Foobar-User: user Foobar_User: impersonation Conversion of the headers for SCGI requires dropping the difference (in this case _ and -), which results in Passenger sending two headers with the same key: HTTP_FOOBAR_USER: user HTTP_FOOBAR_USER: impersonation The value of the second HTTP_FOOBAR_USER may overwrite the value of the first if hashmap is used, making the application believe a different value was set by the server. If header is used fo authentication, unauthenticated remote attacker can impersonate local user. Upstream patch: https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e Public via: http://seclists.org/oss-sec/2015/q4/443
Created passenger tracking bugs for this issue: Affects: fedora-all [bug 1290408]
Original SUSE bug report: https://bugzilla.suse.com/show_bug.cgi?id=956281 Issue was fixed upstream in both 5.0.22 and 4.0.60: https://blog.phusion.nl/2015/12/07/passenger-5-0-22/ https://blog.phusion.nl/2015/12/07/passenger-4-0-60/ Upstream blog post with further details and workaround for setups using httpd. External References: https://blog.phusion.nl/2015/12/07/cve-2015-7519/