PHPã«ãŠã‘ã‚‹httpoxyã®å¯¾å¿œ - Shin x Blog
HTTP リクエストã«ä»»æ„ã®å€¤ã‚’セットã™ã‚‹ã“ã¨ã§ã€Web アプリケーションã‹ã‚‰ã® HTTP 通信をå‚å—ã—ãŸã‚Šã€ä¸é–“者攻撃(Man-in-the-Middle)をå¯èƒ½ã«ã™ã‚‹è„†å¼±æ€§ãŒè¦‹ã¤ã‹ã£ã¦ã„ã¾ã™ã€‚ 専用サイト httpoxyã¨ã„ã†åå‰ãŒä»˜ã‘られã€å°‚用サイトãŒç«‹ã¡ä¸ŠãŒã£ã¦ã„ã¾ã™ã€‚詳細ã¯ã€ã“ã®ã‚µã‚¤ãƒˆãŒè©³ã—ã„ã§ã™ã€‚ httpoxy.org 攻撃内容 アプリケーションã‹ã‚‰HTTP通信を行ã†éš›ã«ã€ç’°å¢ƒå¤‰æ•°HTTP_PROXYã®å€¤ã‚’ã€HTTPプãƒã‚ã‚·ã¨ã—ã¦è¦‹ã‚‹ãƒ©ã‚¤ãƒ–ラリãŒã‚る。 HTTPリクエストã«Proxyヘッダを付ã‘られるã¨ã€ç’°å¢ƒå¤‰æ•°HTTP_PROXYã«ãã®å€¤ãŒã‚»ãƒƒãƒˆã•ã‚Œã‚‹ã€‚(ã“ã‚Œã¯ã€CGIã®ä»•æ§˜ï¼‰ ã¤ã¾ã‚Šã€ä»»æ„ã®ãƒ—ãƒã‚シを外部ã‹ã‚‰æŒ‡å®šã§ãã¦ã—ã¾ã†ã®ã§ã€é€šä¿¡å†…容ã®å‚å—ã‚„å½è£…ãŒã§ãã¦ã—ã¾ã†ã€‚ 対象ã¨ãªã‚‹ PHP アプリケーション HTTP リクエストをå—ã‘ã¦å‹•ä½œã™ã‚‹ PHP アプリケーション アプ
PHPã«é–¢ã™ã‚‹HTTPOXY脆弱性ã®å•é¡Œã¨å¯¾å¿œæ–¹æ³• - Code Day's Night
外部ã‹ã‚‰ç°¡å˜ã«HTTP_PROXYã¨ã„ã†ç’°å¢ƒå¤‰æ•°ãŒã‚»ãƒƒãƒˆã§ãã€ã‚µãƒ¼ãƒé–“通信や外部サイトã¨é€£æºã—ã¦ã„ã‚‹å ´åˆã«å½±éŸ¿ãŒã‚ã‚‹ã‹ã‚‚ã—ã‚Œãªã„脆弱性ã§ã™ã€‚(HTTPoxy. CVE-2016-5385) PHPã®å ´åˆã¯php-fpm, mod_php, Guzzle4以上やã„ãã¤ã‹ã®ãƒ©ã‚¤ãƒ–ラリã§å½±éŸ¿ã‚ã‚Šã¾ã™ã€‚ 対応方法ã¯ç°¡å˜ã§ã™ã€‚ Apacheå´ã§å¯¾å¿œã™ã‚‹å ´åˆã¯ã€mod_headerを使ãˆã‚‹çŠ¶æ³ã§ã‚ã‚Œã°ã€confファイルã«ä¸‹è¨˜ã®1è¡Œã‚’è¿½åŠ ã€‚ RequestHeader unset Proxy FastCGIã®å ´åˆã¯ä¸‹è¨˜ã®1è¡Œã‚’è¿½åŠ ã€‚ fastcgi_param HTTP_PROXY ""; Guzzleã¯6.2.1ã§å¯¾å¿œã•ã‚ŒãŸã‚ˆã†ã§ã™ã€‚ Release 6.2.1 release · guzzle/guzzle · GitHub コミットãƒã‚°ã‚’見るã¨ã€CLIã®æ™‚ã®ã¿ã€getenv('HTTP_PROXY
Mitigating the HTTPoxy Vulnerability with NGINX
On 18 July 2016, a vulnerability named ‘HTTPoxy’ was announced, affecting some server‑side web applications that run in CGI or CGI‑like environments, such as some FastCGI configurations. Languages known to be affected so far include PHP, Python, and Go. A number of CVEs have been assigned, covering specific languages and CGI implementations: Apache HTTP Server (CVE-2016-5387)Apache Tomcat (CVE-201
HTTPoxy - CGI "HTTP_PROXY" variable name clash | Red Hat Customer Portal
0 Get notified when this content is updated. Follow Please wait... Background Information A vulnerability was discovered in how CGI scripts are used by Red Hat products that leverage PHP, Go, Python, and other scripting languages. Several web servers, web frameworks and programming languages (most commonly in a CGI environment) will set the environmental variable “HTTP_PROXY†based on data from in
httpoxy
Recommended reading Summary What Is Affected Immediate Mitigation Prevention Interesting, but once you’ve mitigated How It Works Why It Happened History of httpoxy CVEs A CGI application vulnerability (in 2016) for PHP, Go, Python and others httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3
1
ãŠçŸ¥ã‚‰ã›
ランã‚ング
ランã‚ング
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
ALAS-2016-725
[PDF] CGI ç‰ã‚’利用ã™ã‚‹ã‚¦ã‚§ãƒ–サーãƒã®è„†å¼±æ€§ï¼ˆhttpoxy)を標的ã¨ã—ãŸã‚¢ã‚¯ã‚»ã‚¹ã®è¦³æ¸¬ã«ã¤ã„㦠- è¦å¯Ÿåº (å¹³æˆ28年7月20æ—¥)
Addressing HTTP_PROXY security vulnerability, CVE-2016-5385 · guzzle/guzzle@9d521b2
{{#tags}}- {{label}}
{{/tags}}