Dominic Scheirlinck of VendHQ reports:
Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
The Go programming language can automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Name: Scott Geary (VendHQ)
To go package "net/http" honours $HTTP_PROXY as well as $http_proxy when making outbound requests, making CGI programs written in go vulnerable.
Go HTTP servers that do not invoke CGI scripts are not directly vulnerable:
- the HTTP_PROXY var is not set in the server process's environment
- the HTTP_PROXY var is not set in subprocesses launched directly by os.exec
Created golang tracking bugs for this issue:
Affects: epel-6 [bug 1357601]
Affects: fedora-all [bug 1357602]
Upstream announcement on golang-announce mailing list:
[security] Go 1.6.3 and 1.7rc2 are released
A security-related issue was recently reported in Go's net/http/cgi package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 will contain a fix for this issue.
Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program.
This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405
The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/
Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.
Downloads are available at https://golang.org/dl for all supported platforms.
Chris (on behalf of the Go team)
golang-1.6.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
golang-1.5.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1538 https://rhn.redhat.com/errata/RHSA-2016-1538.html