SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Apple macOS/OS X Vendors:   Apple
Apple macOS Server "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
SecurityTracker Alert ID:  1036853
SecurityTracker URL:  http://securitytracker.com/id/1036853
CVE Reference:   CVE-2016-4694, CVE-2016-4754   (Links to External Site)
Date:  Sep 21 2016
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): macOS Server prior to 5.2
Description:   Two vulnerabilities were reported in Apple macOS Server. A remote user can proxy traffic to an arbitrary server. A remote user can obtain potentially sensitive information.

On systems where the the server is configured to proxy HTTP requests and the target CGI application relies on the HTTP_PROXY environment variable in a trusted manner, a remote user can send (or can conduct a man-in-the-middle attack to insert or modify) a specially crafted HTTP "Proxy:" header to cause the target CGI application to proxy HTTP connections to an arbitrary port on an arbitrary server [CVE-2016-4694]. This can be exploited to set the HTTP_PROXY variable on the target CGI application server and cause CGI application server internal requests to be proxied, in certain cases.

The vulnerability resides in the macOS Server CGI applications that use the HTTP_PROXY variable.

[Editor's note: This is not a macOS Server vulnerability, per se. Rather, it is a vulnerability in CGI modules or applications that may run on macOS Server or other web server platforms.]

Other CGI application platforms are affected.

The original advisory is available at:

https://httpoxy.org/

Dominic Scheirlinck and Scott Geary of Vend reported this vulnerability. Other researchers have reported aspects of this vulnerability affecting various applications since at least 2001.

For ServerDocs Server connections using the obsolete RC4 algorithm, a remote user that can monitor the network can decrypt the connection [CVE-2016-4754].

Pepi Zawodsky reported this vulnerability.

Impact:   A remote user can proxy traffic to an arbitrary server.

A remote user can obtain potentially sensitive information from ServerDocs Server connections.

Solution:   The vendor has issued a fix (macOS Server 5.2).

The vendor advisory is available at:

https://support.apple.com/en-us/HT207171

Vendor URL:  support.apple.com/en-us/HT207171 (Links to External Site)
Cause:   Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 21 2016 (Apple Issues Fix for Apple macOS/OS X) Apple macOS Server "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Apple has issued a fix for Apple macOS/OS X.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC