SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Oracle Issues Fix for Oracle Linux) Apache HTTPD CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
SecurityTracker Alert ID:  1036342
SecurityTracker URL:  http://securitytracker.com/id/1036342
CVE Reference:   CVE-2016-5387   (Links to External Site)
Date:  Jul 18 2016
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability reported in CGI applications that run on Apache HTTPD. A remote user can redirect the target CGI application requests to an arbitrary web proxy in certain cases.

On systems where the Apache HTTPD server is configured to proxy HTTP requests and the target CGI application relies on the HTTP_PROXY environment variable in a trusted manner, a remote user can send (or can conduct a man-in-the-middle attack to insert or modify) a specially crafted HTTP "Proxy:" header to cause the target CGI application to proxy HTTP connections to an arbitrary port on an arbitrary server. This can be exploited to set the HTTP_PROXY variable on the target CGI application server and cause CGI application server internal requests to be proxied, in certain cases.

The vulnerability resides in the CGI applications that use the HTTP_PROXY variable.

[Editor's note: This is not an Apache HTTPD vulnerability, per se. Rather, it is a vulnerability in CGI modules or applications that may run on Apache HTTPD or other web server platforms.]

Other CGI application platforms are affected.

The original advisory is available at:

https://httpoxy.org/

Dominic Scheirlinck and Scott Geary of Vend reported this vulnerability. Other researchers have reported aspects of this vulnerability affecting various applications since at least 2001.

Impact:   A remote user that can conduct a man-in-the-middle attack can redirect the target CGI application requests to an arbitrary web proxy in certain cases.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2016-1422.html

Vendor URL:  linux.oracle.com/errata/ELSA-2016-1422.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  5, 6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2016 Apache HTTPD CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases



 Source Message Contents

Subject:  [El-errata] ELSA-2016-1422 Important: Oracle Linux 7 httpd security and bug fix update

Oracle Linux Security Advisory ELSA-2016-1422

http://linux.oracle.com/errata/ELSA-2016-1422.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
httpd-2.4.6-40.0.1.el7_2.4.x86_64.rpm
httpd-devel-2.4.6-40.0.1.el7_2.4.x86_64.rpm
httpd-manual-2.4.6-40.0.1.el7_2.4.noarch.rpm
httpd-tools-2.4.6-40.0.1.el7_2.4.x86_64.rpm
mod_ldap-2.4.6-40.0.1.el7_2.4.x86_64.rpm
mod_proxy_html-2.4.6-40.0.1.el7_2.4.x86_64.rpm
mod_session-2.4.6-40.0.1.el7_2.4.x86_64.rpm
mod_ssl-2.4.6-40.0.1.el7_2.4.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/httpd-2.4.6-40.0.1.el7_2.4.src.rpm



Description of changes:

[2.4.6-40.0.1.4]
- replace index.html with Oracle's index page oracle_index.html

[2.4.6-40.4]
- add security fix for CVE-2016-5387

[2.4.6-40.3]
- add 451 (Unavailable For Legal Reasons) response status-code (#1353269)

[2.4.6-40.2]
- mod_cache: treat cache as valid with changed Expires in 304 (#1347648)


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC