Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Acknowledgments: Name: Scott Geary (VendHQ)
Created python-twisted-web2 tracking bugs for this issue: Affects: fedora-all [bug 1357613]
Created python-twisted-web tracking bugs for this issue: Affects: epel-5 [bug 1357614]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1978 https://rhn.redhat.com/errata/RHSA-2016-1978.html
Statement: This issue affects the versions of python-twisted as shipped with Red Hat Satellite 6.x. However due to the manner in which python-twisted is used exploitation of this issue by an attacker would require significant access to the server, or be able to modify requests from other users via additional vulnerabilities. A future update may address this issue.
This issue has been addressed in the following products: Red Hat Satellite 6.2 for RHEL 7 Red Hat Satellite 6.2 for RHEL 6 Via RHSA-2018:0273 https://access.redhat.com/errata/RHSA-2018:0273