Hi, Red Hat found a vulnerability in various web servers and frameworks related to env variable passed to cgi scripts, see below:
HTTPoxy - CGI "HTTP_PROXY" variable name clash https://access.redhat.com/security/vulnerabilities/httpoxy I was able to reproduce on OpenBSD httpd/slowcgi (6.0-beta from Jul 1). j. ~~~ # slowcgi -d slowcgi: socket: /var/www/run/slowcgi.sock slowcgi: slowcgi_user: www slowcgi: chroot: /var/www slowcgi: inflight incremented, now 1 slowcgi: version: 1 slowcgi: type: 1 slowcgi: requestId: 1 slowcgi: contentLength: 8 slowcgi: paddingLength: 0 slowcgi: reserved: 0 slowcgi: role 1 slowcgi: flags 0 slowcgi: version: 1 slowcgi: type: 4 slowcgi: requestId: 1 slowcgi: contentLength: 448 slowcgi: paddingLength: 0 slowcgi: reserved: 0 slowcgi: env[0], PATH_INFO= slowcgi: env[1], SCRIPT_NAME=/cgi-bin/testovic slowcgi: env[2], SCRIPT_FILENAME=//cgi-bin/testovic slowcgi: env[3], QUERY_STRING= slowcgi: env[4], DOCUMENT_ROOT=/ slowcgi: env[5], DOCUMENT_URI=/cgi-bin/testovic slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1 slowcgi: env[7], HTTP_ACCEPT=*/* slowcgi: env[8], HTTP_HOST=localhost slowcgi: env[9], HTTP_PROXY=AFFECTED slowcgi: env[10], HTTP_USER_AGENT=curl/7.49.0 slowcgi: env[11], REMOTE_ADDR=127.0.0.1 slowcgi: env[12], REMOTE_PORT=30357 slowcgi: env[13], REQUEST_METHOD=GET slowcgi: env[14], REQUEST_URI=/cgi-bin/testovic slowcgi: env[15], SERVER_ADDR=127.0.0.1 slowcgi: env[16], SERVER_PORT=80 slowcgi: env[17], SERVER_NAME=default slowcgi: env[18], SERVER_PROTOCOL=HTTP/1.1 slowcgi: env[19], SERVER_SOFTWARE=OpenBSD httpd slowcgi: version: 1 slowcgi: type: 4 slowcgi: requestId: 1 slowcgi: contentLength: 0 slowcgi: paddingLength: 0 slowcgi: reserved: 0 slowcgi: fork: //cgi-bin/testovic slowcgi: version: 1 slowcgi: type: 5 slowcgi: requestId: 1 slowcgi: contentLength: 0 slowcgi: paddingLength: 0 slowcgi: reserved: 0 slowcgi: resp version: 1 slowcgi: resp type: 6 slowcgi: resp requestId: 1 slowcgi: resp contentLength: 47 slowcgi: resp paddingLength: 0 slowcgi: resp reserved: 0 slowcgi: resp version: 1 slowcgi: resp type: 6 slowcgi: resp requestId: 1 slowcgi: resp contentLength: 0 slowcgi: resp paddingLength: 0 slowcgi: resp reserved: 0 slowcgi: resp version: 1 slowcgi: resp type: 7 slowcgi: resp requestId: 1 slowcgi: resp contentLength: 0 slowcgi: resp paddingLength: 0 slowcgi: resp reserved: 0 slowcgi: wait: //cgi-bin/testovic slowcgi: resp version: 1 slowcgi: resp type: 3 slowcgi: resp requestId: 1 slowcgi: resp contentLength: 8 slowcgi: resp paddingLength: 0 slowcgi: resp reserved: 0 slowcgi: resp appStatus: 0 slowcgi: resp protocolStatus: 0 $ curl -H 'Proxy: AFFECTED' http://localhost/cgi-bin/testovic HTTP_PROXY='AFFECTED' $ cat /var/www/cgi-bin/testovic #!/bin/sh echo "Content-Type:text/plain " echo "HTTP_PROXY='$HTTP_PROXY'" ~~~
