[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client update
[Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Thu, 21 Jul 2016 20:21:38 +0200
Hello CHICKEN users,
A vulnerability called "httpoxy" has been announced, which affects a
lot of software (server _and_ client) which speaks the HTTP protocol,
allowing a man in the middle attack to be made on servers. The
spiffy-cgi-handlers and http-client eggs are also affected.
In short, the CGI specification defines that all HTTP headers should be
converted to environment variables, after uppercasing them and prefixing
them with "HTTP_". Unfortunately, this allows an attacker to pass a
(nonexistent) "Proxy:" header, which will then be converted to
"HTTP_PROXY", which happens to be an environment variable which most
HTTP client programs and libraries support as a way of telling them to
route all requests through a proxy. See https://httpoxy.org for more
information about this attack.
The http-client egg is vulnerable to such an attack with the default
value of "determine-proxy" (which is "determine-proxy-from-environment"),
if it is used in a CGI program. This situation only occurs if this
process is invoked by a HTTP server which converts the Proxy header as a
HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do
that in the default setup.
If your CGI scripts are not using http-client, they may still be
vulnerable depending on which HTTP client library or application
you are using.
These bugs have been fixed in http-client 0.10 and
spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
If you are unable to update, both eggs provide sufficient hooks to fix
this in user code, without patching the eggs:
In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
(cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
This has precedence over the dynamically determined environment list
which converts the "Proxy" header to "HTTP_PROXY".
In http-client, you can disable or override the determine-proxy parameter
with a custom procedure:
(determine-proxy (constantly #f))
The updated versions of spiffy-cgi-handlers and http-client should be
Description: Digital signature
- [Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack,
Peter Bex <=