Bug 1357334 (CVE-2016-1000110) - CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header
Summary: CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-1000110
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1359161 1359162 1359163 1359164 1359167 1359168 1359169 1359170 1359171 1359172 1359173 1359174 1359175 1359177 1359178 1359179
Blocks: 1353762
TreeView+ depends on / blocked
 
Reported: 2016-07-18 03:34 UTC by Kurt Seifried
Modified: 2021-02-17 03:36 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
Clone Of:
Environment:
Last Closed: 2016-10-13 08:59:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Python 27568 0 None None None 2016-07-23 23:13:19 UTC
Red Hat Product Errata RHSA-2016:1626 0 normal SHIPPED_LIVE Moderate: python security update 2016-08-18 22:39:32 UTC
Red Hat Product Errata RHSA-2016:1627 0 normal SHIPPED_LIVE Moderate: rh-python35-python security update 2016-08-18 21:57:16 UTC
Red Hat Product Errata RHSA-2016:1628 0 normal SHIPPED_LIVE Moderate: python27-python security update 2016-08-19 00:07:06 UTC
Red Hat Product Errata RHSA-2016:1629 0 normal SHIPPED_LIVE Moderate: python33-python security update 2016-08-19 00:26:12 UTC
Red Hat Product Errata RHSA-2016:1630 0 normal SHIPPED_LIVE Moderate: rh-python34-python security update 2016-08-19 00:25:58 UTC

Description Kurt Seifried 2016-07-18 03:34:46 UTC
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.

Comment 1 Kurt Seifried 2016-07-18 03:34:50 UTC
Acknowledgments:

Name: Scott Geary (VendHQ)

Comment 7 Stefan Cornelius 2016-07-22 12:43:17 UTC
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1359175]

Comment 8 Stefan Cornelius 2016-07-22 12:43:29 UTC
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1359178]

Comment 9 Stefan Cornelius 2016-07-22 12:43:40 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1359177]

Comment 10 Stefan Cornelius 2016-07-22 12:43:49 UTC
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1359179]

Comment 14 errata-xmlrpc 2016-08-18 18:04:50 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html

Comment 15 errata-xmlrpc 2016-08-18 18:41:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html

Comment 16 errata-xmlrpc 2016-08-18 20:09:09 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html

Comment 17 errata-xmlrpc 2016-08-18 20:30:08 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html

Comment 18 errata-xmlrpc 2016-08-18 20:31:32 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html


Note You need to log in before you can comment on or make changes to this bug.