It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context.
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.
CVSS score: 5.0 (CVSS v3).
Dates:
Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
Reported by: Scott Geary (HTTPoxy)
Python 2.7.13 (2016-12-17) fixed by commit 75d7b61 (branch 2.7) (2016-07-30)
Python 3.3.7 (2017-09-19) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
Python 3.4.6 (2017-01-16) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
Python 3.5.3 (2017-01-16) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
Python 3.6.0 (2016-12-22) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.
Python issue: bpo-27568
Creation date: 2016-07-18
Reporter: Rémi Rampin
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
CVE ID: CVE-2016-1000110
Published: 2019-11-27
CVSS Score: 5.8
Timeline using the disclosure date 2016-07-18 as reference:
2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
2016-12-17 (+152 days): Python 2.7.13 released
2016-12-22: Python 3.6.0 released
2017-01-16 (+182 days): Python 3.4.6 released
2017-01-16 (+182 days): Python 3.5.3 released
2017-09-19 (+428 days): Python 3.3.7 released
2019-11-27 (+1227 days): CVE-2016-1000110 published
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4