SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
SecurityTracker Alert ID:  1036331
SecurityTracker URL:  http://securitytracker.com/id/1036331
CVE Reference:   CVE-2016-5388   (Links to External Site)
Updated:  Jul 18 2016
Original Entry Date:  Jul 18 2016
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in CGI applications that run on Apache Tomcat. A remote user can redirect the target CGI application requests to an arbitrary web proxy in certain cases.

On systems where the Apache Tomcat server is configured to proxy HTTP requests and the target CGI application relies on the HTTP_PROXY environment variable in a trusted manner, a remote user can send (or can conduct a man-in-the-middle attack to insert or modify) a specially crafted HTTP "Proxy:" header to cause the target CGI application to proxy HTTP connections to an arbitrary port on an arbitrary server. This can be exploited to set the HTTP_PROXY variable on the target CGI application server and cause CGI application server internal requests to be proxied, in certain cases.

The vulnerability resides in the CGI applications that use the HTTP_PROXY variable.

[Editor's note: This is not an Apache Tomcat vulnerability, per se. Rather, it is a vulnerability in CGI modules or applications that may run on Apache Tomcat or other web server platforms.]

Other CGI application platforms are affected.

The original advisory is available at:

https://httpoxy.org/

Dominic Scheirlinck and Scott Geary of Vend reported this vulnerability. Other researchers have reported aspects of this vulnerability affecting various applications since at least 2001.

Impact:   A remote user that can conduct a man-in-the-middle attack can redirect the target CGI application requests to an arbitrary web proxy in certain cases.
Solution:   The vendor has provided instructions for several options to mitigate affected applications. The patch is available in the vendor's advisory.

The vendor's advisory is available at:

https://www.apache.org/security/asf-httpoxy-response.txt

Vendor URL:  www.apache.org/security/asf-httpoxy-response.txt (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 18 2016 (Red Hat Issues Fix for JBoss) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Red Hat has issued a fix for JBoss for Red Hat Enterprise Linux.
Aug 19 2016 (Red Hat Issues Fix for JBoss) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Red Hat has issued a fix for JBoss for Red Hat Enterprise Linux 7.
Aug 19 2016 (Red Hat Issues Fix for JBoss) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Red Hat has issued a fix for JBoss for Red Hat Enterprise Linux 6.
Nov 4 2016 (Red Hat Issues Fix) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Nov 4 2016 (Red Hat Issues Fix) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Nov 8 2016 (HP Issues Fix) Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
HP has issued a fix for HP-UX 11.31.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC