Bug 1353794 - (CVE-2016-5385) CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header
CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy r...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160718,repor...
: Security
Depends On: 1356511 1356512 1356513 1356514 1356515 1356516 1358694 1358695 1358696 1359157 1359158 1359159
Blocks: 1353762
  Show dependency treegraph
 
Reported: 2016-07-07 23:17 EDT by Kurt Seifried
Modified: 2016-08-12 04:34 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-12 04:34:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1609 normal SHIPPED_LIVE Moderate: php security update 2016-09-01 21:54:54 EDT
Red Hat Product Errata RHSA-2016:1610 normal SHIPPED_LIVE Moderate: php54-php security update 2016-08-11 20:47:52 EDT
Red Hat Product Errata RHSA-2016:1611 normal SHIPPED_LIVE Moderate: php55-php security update 2016-08-11 21:35:50 EDT
Red Hat Product Errata RHSA-2016:1612 normal SHIPPED_LIVE Moderate: rh-php56-php security update 2016-08-11 21:35:36 EDT
Red Hat Product Errata RHSA-2016:1613 normal SHIPPED_LIVE Moderate: php security and bug fix update 2016-08-11 22:10:23 EDT

  None (edit)
Description Kurt Seifried 2016-07-07 23:17:13 EDT
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The PHP web framework contains will automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Comment 1 Kurt Seifried 2016-07-07 23:17:18 EDT
Acknowledgments:

Name: Scott Geary (VendHQ)
Comment 2 Doran Moppert 2016-07-08 00:44:16 EDT
There are several possible deployment scenarios for PHP.  Under the most common (apache + mod_php(sapi)), it appears to be safe:

  - HTTP_PROXY makes it into $_SERVER, but not $_ENV
  - builtin curl functions are not affected
  - the variable does not leak into subprocesses through exec() or system()

This covers the most likely vectors.

The client-provided value is returned by php function getenv('HTTP_PROXY') or getenv('http_proxy') (the argument is case-insensitive), which may still lead to vulnerabilities in naively-written modules which expect this function to be similar to libc's getenv(3).
Comment 3 Doran Moppert 2016-07-08 01:00:14 EDT
php in CGI configuration:

  - HTTP_PROXY makes it into the process environment
  - also into subprocesses through system()/exec()
  - builtin libcurl only honours http_proxy, but not HTTP_PROXY



Tested with apache:

  <FilesMatch \.php$>
    SetHandler application/x-httpd-php
  </FilesMatch>
  Action application/x-httpd-php /cgi-bin/php-cgi
Comment 8 Tomas Hoger 2016-07-13 05:16:19 EDT
(In reply to Doran Moppert from comment #2)
> This covers the most likely vectors.
> 
> The client-provided value is returned by php function getenv('HTTP_PROXY')
> or getenv('http_proxy') (the argument is case-insensitive), which may still
> lead to vulnerabilities in naively-written modules which expect this
> function to be similar to libc's getenv(3).

Note that the original reporter argues that the use of getenv('HTTP_PROXY') may not be as unlikely as it might seem, providing Guzzle HTTP client as an example of a widely used PHP application affected by this issue in the mod_php use case.

https://github.com/guzzle/guzzle/blob/443a7a62/src/Client.php#L166
Comment 9 Remi Collet 2016-07-13 05:43:50 EDT
getenv is case sensitive on Linux (can insensitive only on Windows)
Comment 10 Tomas Hoger 2016-07-13 06:22:17 EDT
(In reply to Remi Collet from comment #9)
> getenv is case sensitive on Linux (can insensitive only on Windows)

Are you referring to this Doran's comment?

(In reply to Doran Moppert from comment #2)
> The client-provided value is returned by php function getenv('HTTP_PROXY')
> or getenv('http_proxy') (the argument is case-insensitive),

Apparently, PHP's getenv() is case insensitive under mod_php (apache2handler), but sensitive under CGI (cgi-fcgi).  There does not seem to be a difference between real process environment and SAPI environment, so getenv('path') and getenv('http_proxy') return the same result as getenv('PATH') and getenv('HTTP_PROXY').
Comment 29 errata-xmlrpc 2016-08-11 16:48:09 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1610 https://rhn.redhat.com/errata/RHSA-2016-1610.html
Comment 30 errata-xmlrpc 2016-08-11 17:36:07 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1612 https://rhn.redhat.com/errata/RHSA-2016-1612.html
Comment 31 errata-xmlrpc 2016-08-11 17:36:21 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1611 https://rhn.redhat.com/errata/RHSA-2016-1611.html
Comment 32 errata-xmlrpc 2016-08-11 17:53:56 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1609 https://rhn.redhat.com/errata/RHSA-2016-1609.html
Comment 33 errata-xmlrpc 2016-08-11 18:10:44 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1613 https://rhn.redhat.com/errata/RHSA-2016-1613.html

Note You need to log in before you can comment on or make changes to this bug.