Bug 1353760 – CVE-2016-1000104 mod_fcgid: mod_fcgid sets environmental variable based on user supplied Proxy request header

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1353760 - (CVE-2016-1000104) CVE-2016-1000104 mod_fcgid: mod_fcgid sets environmental variable based on user supplied Proxy request header

Summary:	CVE-2016-1000104 mod_fcgid: mod_fcgid sets environmental variable based on us...

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-1000104

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20160718,repo...
Keywords:	Security

Depends On:
Blocks:	1353762
	Show dependency tree / graph

Reported:	2016-07-07 19:04 EDT by Kurt Seifried
Modified:	2016-07-19 03:16 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-07-14 21:29:20 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2016-07-07 19:04:30 EDT

Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The mod_fcgi module provides support for CGI. If passed a “Proxy” header in the request mod_cgi will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.

Comment 1 Kurt Seifried 2016-07-07 19:04:33 EDT

Acknowledgments:

Name: Scott Geary (VendHQ)

Comment 5 Kurt Seifried 2016-07-14 21:29:20 EDT

Statement:

This issue is addressed through the Apache HTTPD update for CVE-2016-5387 which prevent the Proxy header from automatically being converted into the HTTP_PROXY environmental variable. Unless the "FcgidPassHeader Proxy" is used mod_fcgid is not vulnerable to this attack when used with updated HTTPD. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.