FreeBSD : Multiple ports -- Proxy HTTP header vulnerability (httpoxy) (cf0b5668-4d1b-11e6-b2ec-b499baebfeaf)

high Nessus Plugin ID 92395

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

httpoxy.org reports :

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:.

- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY

- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability.

Solution

Update the affected packages.

See Also

https://httpoxy.org/

https://www.kb.cert.org/vuls/id/797896

http://www.nessus.org/u?2413f04a

Plugin Details

Severity: High

ID: 92395

File Name: freebsd_pkg_cf0b56684d1b11e6b2ecb499baebfeaf.nasl

Version: 2.3

Type: local

Published: 7/19/2016

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache22, p-cpe:/a:freebsd:freebsd:apache22-event-mpm, p-cpe:/a:freebsd:freebsd:apache22-itk-mpm, p-cpe:/a:freebsd:freebsd:apache22-peruser-mpm, p-cpe:/a:freebsd:freebsd:apache22-worker-mpm, p-cpe:/a:freebsd:freebsd:apache24, p-cpe:/a:freebsd:freebsd:go, p-cpe:/a:freebsd:freebsd:go14, p-cpe:/a:freebsd:freebsd:haproxy, p-cpe:/a:freebsd:freebsd:nginx, p-cpe:/a:freebsd:freebsd:php55, p-cpe:/a:freebsd:freebsd:php56, p-cpe:/a:freebsd:freebsd:php70, p-cpe:/a:freebsd:freebsd:python27, p-cpe:/a:freebsd:freebsd:python33, p-cpe:/a:freebsd:freebsd:python34, p-cpe:/a:freebsd:freebsd:python35, p-cpe:/a:freebsd:freebsd:tomcat6, p-cpe:/a:freebsd:freebsd:tomcat7, p-cpe:/a:freebsd:freebsd:tomcat8, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/18/2016

Vulnerability Publication Date: 7/18/2016