ArchLinux: 201607-9: drupal: proxy injection
Summary
Drupal 8 uses the third-party PHP library Guzzle for making server-side
HTTP requests. An attacker can provide a proxy server that Guzzle will
use. This vulnerability is called 'httpoxy'. httpoxy is a set of
vulnerabilities that affect application code running in CGI, or CGI-like
environments. It comes down to a simple namespace conflict:
RFC 3875 (CGI) puts the HTTP Proxy header from a request into the
environment variables as HTTP_PROXY HTTP_PROXY is a popular environment
variable used to configure an outgoing proxy This leads to a remotely
exploitable vulnerability. If you’re running PHP or CGI, you should
block the Proxy header now.
Resolution
Upgrade to 8.1.7-1.
# pacman -Syu "drupal>=8.1.7-1"
The problem has been fixed upstream in version 8.1.7.
References
https://access.redhat.com/security/cve/CVE-2016-5385 https://www.drupal.org/SA-CORE-2016-003 https://httpoxy.org/ https://bugzilla.redhat.com/show_bug.cgi?id=1353794
Workaround
Apache (.htaccess)
NGINX/FastCGI
fastcgi_param HTTP_PROXY "";
For any other service please visit:
https://httpoxy.org/