php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72573 HTTP_PROXY is improperly trusted by some PHP libraries and applications
Submitted: 2016-07-11 00:27 UTC Modified: 2016-07-29 02:49 UTC
From: dominic at vendhq dot com Assigned: stas (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 7.0.9RC1 OS: any
Private report: No CVE-ID: 2016-5385
 [2016-07-11 00:27 UTC] dominic at vendhq dot com
Description:
------------
RFC 3875 (CGI) puts any HTTP 'Proxy' header present in a request into the environment as HTTP_PROXY. HTTP_PROXY (or http_proxy) has also become a popular environment variable used to configure an outgoing proxy.

The collision between the two leads to a security vulnerability in applications that trust getenv('HTTP_PROXY') as if it were a "real" unix environment variable.

Originally reported via email to security@php.net on June 30.

Test script:
---------------
https://github.com/guzzle/guzzle/blob/502b40014c5f6c5b17894ce7ea7258b550b6b018/src/Client.php#L167
https://github.com/ruflin/Elastica/blob/c01c929424c8efd48eca8f773feecd6902b36c6c/lib/Elastica/Transport/Guzzle.php#L68
https://github.com/search?l=php&p=2&q=getenv+HTTP_PROXY&ref=searchresults&type=Code&utf8=%E2%9C%93


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-11 00:56 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-07-11 00:59 UTC] stas@php.net
Mitigation patch is in https://gist.github.com/smalyshev/ba40554d812723e0397dd0cfef57932d and in security repo as 98b9dfaec95e6f910f125ed172cdbd25abd006ec
 [2016-07-11 01:03 UTC] stas@php.net
BTW, I see in Guzzle they use http_proxy. I'm not sure whether it's case sensitive but I suspect that it is. I don't know any implementation that would define HTTP meta-vars in lowercase.
 [2016-07-11 01:04 UTC] stas@php.net
In the first link it's uppercase but in the second it's lowercase...
 [2016-07-11 01:11 UTC] dominic at vendhq dot com
> I'm not sure whether it's case sensitive but I suspect that it is. 

AFAIK, getenv is case insensitive on Windows. ($_SERVER is another story though, because once the keys are in the actual array they're case sensitive again.) So, it's a mixed bag.

I definitely think we should recommend that people go with the libwww-perl/Ruby mitigation (CGI_HTTP_PROXY), and not the wget/curl "mitigation" of using lowercase http_proxy (which has lead to them still being vulnerable in e.g. a batch script on Windows running under CGI)

> I don't know any implementation that would define HTTP meta-vars in lowercase.

You're right that all the CGI implementations define it in uppercase. The problem is that there are environments that don't support case sensitive environment variables at all.
 [2016-07-12 08:05 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-5385
 [2016-07-18 17:56 UTC] dominic at vendhq dot com
Public disclosure date has passed. Probably doesn't need to be marked private any more.
 [2016-07-19 07:54 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-07-19 07:54 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-07-29 02:00 UTC] mtjmchugh at gmail dot com
There is a reference that this bug is tied to unix systems.  Is this a security issue for windows systems?
 [2016-07-29 02:49 UTC] stas@php.net
If they use CGI/FCGI, yes. Any system that has environment variables as a concept would be vulnerable, probably.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC