On Fri, 22 Jul 2016 09:48:34 -0700 Mark Sapiro <[email protected]> wrote: > On 07/22/2016 08:55 AM, Perry E. Metzger wrote: > > On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro > > <[email protected]> > >> > >> I am not an expert on httpoxy at all, but quoting from > >> <https://httpoxy.org/#top> > >> > >> "httpoxy is a vulnerability for server-side web applications. If > >> you’re not deploying code, you don’t need to worry." > >> > >> Mailman's web UI serves end user HTML pages. It does not deploy > >> code. > >> > > > > Er, it uses CGI scripts, doesn't it? That's what it means to > > "deploy code" in this context. > > > That's not the way I read it,
It works by an attacker inserting an http_proxy header into the headers which it presents to the web server, which are then passed in the HTTP_PROXY environment variable to the CGI script. I think that there aren't many ways to read this. > but if you think that's the case, then > you've already decided that Mailman 2.1 is vulnerable depending on > the specific web server configuration. I don't know. I don't know if Mailman uses any of the vulnerable routines that might cause HTTP_PROXY being set to cause trouble. > GNU Mailman has no control > over how you set up your web server to serve Mailman's CGI output, > so your question should be "is my web server configuration > vulnerable?". Not entirely, no. You could defend Mailman by interposing code on the http server of course. Perry -- Perry E. Metzger [email protected] ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
