.. _httpoxy:

HTTPoxy attack
==============

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2016-1000110>`_.

It was discovered that the Python ``CGIHandler`` class did not properly
protect against the ``HTTP_PROXY`` variable name clash in a CGI context.

A remote attacker could possibly use this flaw to redirect HTTP requests
performed by a Python CGI script to an attacker-controlled proxy via a
malicious HTTP request.

Ignore the ``HTTP_PROXY`` variable when ``REQUEST_METHOD`` environment is
set, which indicates that the script is in CGI mode.

CVSS score: 5.0 (CVSS v3).

Dates:

* Disclosure date: **2016-07-18** (Python issue bpo-27568 reported)
* Reported by: Scott Geary (HTTPoxy)

Fixed In
--------

* Python **2.7.13** (2016-12-17) fixed by `commit 75d7b61 (branch 2.7) <https://github.com/python/cpython/commit/75d7b615ba70fc5759d16dee95bbd8f0474d8a9c>`_ (2016-07-30)
* Python **3.3.7** (2017-09-19) fixed by `commit 4cbb23f (branch 3.3) <https://github.com/python/cpython/commit/4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d>`_ (2016-07-31)
* Python **3.4.6** (2017-01-16) fixed by `commit 4cbb23f (branch 3.3) <https://github.com/python/cpython/commit/4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d>`_ (2016-07-31)
* Python **3.5.3** (2017-01-16) fixed by `commit 4cbb23f (branch 3.3) <https://github.com/python/cpython/commit/4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d>`_ (2016-07-31)
* Python **3.6.0** (2016-12-22) fixed by `commit 4cbb23f (branch 3.3) <https://github.com/python/cpython/commit/4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d>`_ (2016-07-31)

Python issue
------------

"HTTPoxy", use of HTTP_PROXY flag supplied by attacker in CGI scripts.

* Python issue: `bpo-27568 <https://bugs.python.org/issue27568>`_
* Creation date: 2016-07-18
* Reporter: Rémi Rampin

CVE-2016-1000110
----------------

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

* CVE ID: `CVE-2016-1000110 <https://nvd.nist.gov/vuln/detail/CVE-2016-1000110/>`_
* Published: 2019-11-27
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.8

Timeline
--------

Timeline using the disclosure date **2016-07-18** as reference:

* 2016-07-18: `Python issue bpo-27568 <https://bugs.python.org/issue27568>`_ reported by Rémi Rampin
* 2016-07-30 (**+12 days**): `commit 75d7b61 (branch 2.7) <https://github.com/python/cpython/commit/75d7b615ba70fc5759d16dee95bbd8f0474d8a9c>`_
* 2016-07-31 (**+13 days**): `commit 4cbb23f (branch 3.3) <https://github.com/python/cpython/commit/4cbb23f8f278fd1f71dcd5968aa0b3f0b4f3bd5d>`_
* 2016-12-17 (**+152 days**): Python 2.7.13 released
* 2016-12-22: Python 3.6.0 released
* 2017-01-16 (**+182 days**): Python 3.4.6 released
* 2017-01-16 (**+182 days**): Python 3.5.3 released
* 2017-09-19 (**+428 days**): Python 3.3.7 released
* 2019-11-27 (**+1227 days**): CVE-2016-1000110 published

Links
-----

* https://httpoxy.org/
* https://access.redhat.com/security/cve/cve-2016-1000110