CVE-2016-1000110: HTTPoxy attack

It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context.

A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.

CVSS score: 5.0 (CVSS v3).

  • Disclosure date: 2016-07-18 (Python issue #27568 reported)
  • Reported by: Scott Geary (HTTPoxy)

Fixed In

Python issue

“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.

  • Python issue: issue #27568
  • Creation date: 2016-07-18
  • Reporter: Rémi Rampin

Timeline

Timeline using the disclosure date 2016-07-18 as reference:

  • 2016-07-18: Python issue #27568 reported by Rémi Rampin
  • 2016-07-30 (+12 days): commit 75d7b61
  • 2016-07-31 (+13 days): commit 4cbb23f
  • 2016-12-17 (+152 days): Python 2.7.13 released
  • 2016-12-23: Python 3.6.0 released
  • 2017-01-17 (+183 days): Python 3.4.6 released
  • 2017-01-17 (+183 days): Python 3.5.3 released
  • 2017-09-19 (+428 days): Python 3.3.7 released