Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. The PHP web framework contains will automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Acknowledgments: Name: Scott Geary (VendHQ)
There are several possible deployment scenarios for PHP. Under the most common (apache + mod_php(sapi)), it appears to be safe: - HTTP_PROXY makes it into $_SERVER, but not $_ENV - builtin curl functions are not affected - the variable does not leak into subprocesses through exec() or system() This covers the most likely vectors. The client-provided value is returned by php function getenv('HTTP_PROXY') or getenv('http_proxy') (the argument is case-insensitive), which may still lead to vulnerabilities in naively-written modules which expect this function to be similar to libc's getenv(3).
php in CGI configuration: - HTTP_PROXY makes it into the process environment - also into subprocesses through system()/exec() - builtin libcurl only honours http_proxy, but not HTTP_PROXY Tested with apache: <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> Action application/x-httpd-php /cgi-bin/php-cgi
(In reply to Doran Moppert from comment #2) > This covers the most likely vectors. > > The client-provided value is returned by php function getenv('HTTP_PROXY') > or getenv('http_proxy') (the argument is case-insensitive), which may still > lead to vulnerabilities in naively-written modules which expect this > function to be similar to libc's getenv(3). Note that the original reporter argues that the use of getenv('HTTP_PROXY') may not be as unlikely as it might seem, providing Guzzle HTTP client as an example of a widely used PHP application affected by this issue in the mod_php use case. https://github.com/guzzle/guzzle/blob/443a7a62/src/Client.php#L166
getenv is case sensitive on Linux (can insensitive only on Windows)
(In reply to Remi Collet from comment #9) > getenv is case sensitive on Linux (can insensitive only on Windows) Are you referring to this Doran's comment? (In reply to Doran Moppert from comment #2) > The client-provided value is returned by php function getenv('HTTP_PROXY') > or getenv('http_proxy') (the argument is case-insensitive), Apparently, PHP's getenv() is case insensitive under mod_php (apache2handler), but sensitive under CGI (cgi-fcgi). There does not seem to be a difference between real process environment and SAPI environment, so getenv('path') and getenv('http_proxy') return the same result as getenv('PATH') and getenv('HTTP_PROXY').
Upstream commit http://git.php.net/?p=php-src.git;a=commit;h=98b9dfaec95e6f910f125ed172cdbd25abd006ec Additional commit adding a FPM unit test (5.6+) http://git.php.net/?p=php-src.git;a=commit;h=fb4a6dc0f1df106dae84c9d8f3ec53cc0da7231b
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1610 https://rhn.redhat.com/errata/RHSA-2016-1610.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1612 https://rhn.redhat.com/errata/RHSA-2016-1612.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2016:1611 https://rhn.redhat.com/errata/RHSA-2016-1611.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1609 https://rhn.redhat.com/errata/RHSA-2016-1609.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1613 https://rhn.redhat.com/errata/RHSA-2016-1613.html