httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59886] httpoxy: shouldn't suexec block the questonable HTTP_ variables
Date Wed, 20 Jul 2016 04:48:46 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59886

--- Comment #6 from Eric Covener <covener@gmail.com> ---
(In reply to Christoph Anton Mitterer from comment #5)
> Hmm I just re-thought the whole thing...
> 
> Isn't the problem below httpoxy actually "much" bigger, at least in
> principle?
> 
> Who says that there aren't any further scripts out there (which are run from
> webservers, which export HTTP_<header> vars), which make use of such names?
> HTTP_* is pretty generic and by no means anything one would need to assume
> that "belongs" to CGI, or to webserver-set variables that aren't to be
> trusted.
> 
> There could be a HTTP_MODE variable which takes e.g. "plain" or "ssl" and
> causes the program in question to make further connections plain (and
> possibly insecure) when the attacker can overwrite it with an Header.
> 
> 
> Not sure if this breaks many scripts, but it rather seems to me, as if
> webservers should per default not export *any* untrusted HTTP request
> headers as envvars, at least as long as this doesn't happen below a
> sufficiently obvious namespace (e.g. SET_BY_WEBSERVER_AND_INSECURE_<header
> name> or so ;-) ...
> 
> 
> What do you think?

I don't agree, maybe someone else will. Better odds if you take it to a mailing
list as an improvement rather than further complicate this report.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message