Hello CHICKEN users, A vulnerability called "httpoxy" has been announced, which affects a lot of software (server _and_ client) which speaks the HTTP protocol, allowing a man in the middle attack to be made on servers. The spiffy-cgi-handlers and http-client eggs are also affected.
In short, the CGI specification defines that all HTTP headers should be converted to environment variables, after uppercasing them and prefixing them with "HTTP_". Unfortunately, this allows an attacker to pass a (nonexistent) "Proxy:" header, which will then be converted to "HTTP_PROXY", which happens to be an environment variable which most HTTP client programs and libraries support as a way of telling them to route all requests through a proxy. See https://httpoxy.org for more information about this attack. The http-client egg is vulnerable to such an attack with the default value of "determine-proxy" (which is "determine-proxy-from-environment"), if it is used in a CGI program. This situation only occurs if this process is invoked by a HTTP server which converts the Proxy header as a HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do that in the default setup. If your CGI scripts are not using http-client, they may still be vulnerable depending on which HTTP client library or application you are using. These bugs have been fixed in http-client 0.10 and spiffy-cgi-handlers 0.5, so please update at your earliest convenience. If you are unable to update, both eggs provide sufficient hooks to fix this in user code, without patching the eggs: In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the cgi-default-environment parameter: (cgi-default-environment (cons '("HTTP_PROXY" . #f) (cgi-default-environment))) This has precedence over the dynamically determined environment list which converts the "Proxy" header to "HTTP_PROXY". In http-client, you can disable or override the determine-proxy parameter with a custom procedure: (use data-structures) (determine-proxy (constantly #f)) The updated versions of spiffy-cgi-handlers and http-client should be available shortly. Kind regards, Peter Bex
signature.asc
Description: Digital signature
_______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users