HTTPoxy attack

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context.

A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.

CVSS score: 5.0 (CVSS v3).

Dates:

  • Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
  • Reported by: Scott Geary (HTTPoxy)

Fixed In

Python issue

“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.

  • Python issue: bpo-27568
  • Creation date: 2016-07-18
  • Reporter: Rémi Rampin

CVE-2016-1000110

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

Timeline

Timeline using the disclosure date 2016-07-18 as reference:

  • 2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
  • 2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
  • 2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
  • 2016-12-17 (+152 days): Python 2.7.13 released
  • 2016-12-22: Python 3.6.0 released
  • 2017-01-16 (+182 days): Python 3.4.6 released
  • 2017-01-16 (+182 days): Python 3.5.3 released
  • 2017-09-19 (+428 days): Python 3.3.7 released
  • 2019-11-27 (+1227 days): CVE-2016-1000110 published