It was discovered that the Python
CGIHandler class did not properly
protect against the
HTTP_PROXY variable name clash in a CGI context.
A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
HTTP_PROXY variable when
REQUEST_METHOD environment is
set, which indicates that the script is in CGI mode.
CVSS score: 5.0 (CVSS v3).
- Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
- Reported by: Scott Geary (HTTPoxy)
- Python 2.7.13 (2016-12-17) fixed by commit 75d7b61 (branch 2.7) (2016-07-30)
- Python 3.3.7 (2017-09-19) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.4.6 (2017-01-17) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.5.3 (2017-01-17) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
- Python 3.6.0 (2016-12-23) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.
- Python issue: bpo-27568
- Creation date: 2016-07-18
- Reporter: Rémi Rampin
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Timeline using the disclosure date 2016-07-18 as reference:
- 2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
- 2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
- 2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
- 2016-12-17 (+152 days): Python 2.7.13 released
- 2016-12-23: Python 3.6.0 released
- 2017-01-17 (+183 days): Python 3.4.6 released
- 2017-01-17 (+183 days): Python 3.5.3 released
- 2017-09-19 (+428 days): Python 3.3.7 released
- 2019-11-27 (+1227 days): CVE-2016-1000110 published