Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1357345 - (CVE-2016-1000111) CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
CVE-2016-1000111 Python Twisted: sets environmental variable based on user su...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160718,repo...
: Security
Depends On: 1357613 1357614 1358789 1358790 1358791 1358792 1540791 1540792
Blocks: 1353762
  Show dependency treegraph
 
Reported: 2016-07-17 23:38 EDT by Kurt Seifried
Modified: 2018-09-28 17:56 EDT (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-13 04:59:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1978 normal SHIPPED_LIVE Important: python-twisted-web security update 2016-09-29 18:54:01 EDT
Red Hat Product Errata RHSA-2018:0273 normal SHIPPED_LIVE Important: Red Hat Satellite 6 security, bug fix, and enhancement update 2018-02-07 19:35:29 EST

  None (edit)
Description Kurt Seifried 2016-07-17 23:38:28 EDT 
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Comment 1 Kurt Seifried 2016-07-17 23:38:31 EDT 
Acknowledgments:

Name: Scott Geary (VendHQ)
Comment 2 Stefan Cornelius 2016-07-18 12:05:00 EDT 
Created python-twisted-web2 tracking bugs for this issue:

Affects: fedora-all [bug 1357613]
Comment 3 Stefan Cornelius 2016-07-18 12:05:07 EDT 
Created python-twisted-web tracking bugs for this issue:

Affects: epel-5 [bug 1357614]
Comment 9 errata-xmlrpc 2016-09-29 14:57:29 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1978 https://rhn.redhat.com/errata/RHSA-2016-1978.html
Comment 10 Kurt Seifried 2016-12-16 12:36:40 EST 
Statement:

This issue affects the versions of python-twisted as shipped with Red Hat Satellite 6.x. However due to the manner in which python-twisted is used exploitation of this issue by an attacker would require significant access to the server, or be able to modify requests from other users via additional vulnerabilities. A future update may address this issue.
Comment 12 errata-xmlrpc 2018-02-05 08:54:21 EST 
This issue has been addressed in the following products:

  Red Hat Satellite 6.2 for RHEL 7
  Red Hat Satellite 6.2 for RHEL 6

Via RHSA-2018:0273 https://access.redhat.com/errata/RHSA-2018:0273
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.