HTTPoxy attack¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
It was discovered that the Python CGIHandler
class did not properly
protect against the HTTP_PROXY
variable name clash in a CGI context.
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
Ignore the HTTP_PROXY
variable when REQUEST_METHOD
environment is
set, which indicates that the script is in CGI mode.
CVSS score: 5.0 (CVSS v3).
Dates:
- Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
- Reported by: Scott Geary (HTTPoxy)
Fixed In¶
- Python 2.7.13 (2016-12-17) fixed by commit 75d7b61 (branch 2.7) (2016-07-30)
- Python 3.3.7 (2017-09-19) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.4.6 (2017-01-16) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.5.3 (2017-01-16) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.6.0 (2016-12-22) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
Python issue¶
“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.
- Python issue: bpo-27568
- Creation date: 2016-07-18
- Reporter: Rémi Rampin
CVE-2016-1000110¶
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
- CVE ID: CVE-2016-1000110
- Published: 2019-11-27
- CVSS Score: 5.8
Timeline¶
Timeline using the disclosure date 2016-07-18 as reference:
- 2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
- 2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
- 2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
- 2016-12-17 (+152 days): Python 2.7.13 released
- 2016-12-22: Python 3.6.0 released
- 2017-01-16 (+182 days): Python 3.4.6 released
- 2017-01-16 (+182 days): Python 3.5.3 released
- 2017-09-19 (+428 days): Python 3.3.7 released
- 2019-11-27 (+1227 days): CVE-2016-1000110 published