Red Hat Bugzilla – Bug 1290405
CVE-2015-7519 passenger: Header overwriting issue allowing user impersonation
Last modified: 2017-11-30 07:00:47 EST
It was found that when SCGI protocol is used and an app depends on a header set by trusted server that includes a dash, it is possible for a untrusted remote client to set colliding header, which would appear different to the server and won't be overwriteen but preserved, e.g.
Conversion of the headers for SCGI requires dropping the difference (in this case _ and -), which results in Passenger sending two headers with the same key:
The value of the second HTTP_FOOBAR_USER may overwrite the value of the first if hashmap is used, making the application believe a different value was set by the server. If header is used fo authentication, unauthenticated remote attacker can impersonate local user.
Created passenger tracking bugs for this issue:
Affects: fedora-all [bug 1290408]
Original SUSE bug report:
Issue was fixed upstream in both 5.0.22 and 4.0.60:
Upstream blog post with further details and workaround for setups using httpd.