https://bz.apache.org/bugzilla/show_bug.cgi?id=59886
--- Comment #5 from Christoph Anton Mitterer <cales...@scientia.net> --- Hmm I just re-thought the whole thing... Isn't the problem below httpoxy actually "much" bigger, at least in principle? Who says that there aren't any further scripts out there (which are run from webservers, which export HTTP_<header> vars), which make use of such names? HTTP_* is pretty generic and by no means anything one would need to assume that "belongs" to CGI, or to webserver-set variables that aren't to be trusted. There could be a HTTP_MODE variable which takes e.g. "plain" or "ssl" and causes the program in question to make further connections plain (and possibly insecure) when the attacker can overwrite it with an Header. Not sure if this breaks many scripts, but it rather seems to me, as if webservers should per default not export *any* untrusted HTTP request headers as envvars, at least as long as this doesn't happen below a sufficiently obvious namespace (e.g. SET_BY_WEBSERVER_AND_INSECURE_<header name> or so ;-) ... What do you think? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
