HTTPoxy attack

It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context.

A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.

Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode.

CVSS score: 5.0 (CVSS v3).

Dates:

• Disclosure date: 2016-07-18 (Python issue bpo-27568 reported)
• Reported by: Scott Geary (HTTPoxy)

Fixed In

• Python 2.7.13 (2016-12-17) fixed by commit 75d7b61 (branch 2.7) (2016-07-30)
• Python 3.3.7 (2017-09-19) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
• Python 3.4.6 (2017-01-17) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
• Python 3.5.3 (2017-01-17) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)
• Python 3.6.0 (2016-12-23) fixed by commit 4cbb23f (branch 3.3) (2016-07-31)

Python issue

“HTTPoxy”, use of HTTP_PROXY flag supplied by attacker in CGI scripts.

• Python issue: bpo-27568
• Creation date: 2016-07-18
• Reporter: Rémi Rampin

CVE-2016-1000110

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

• CVE ID: CVE-2016-1000110
• Published: 2019-11-27
• CVSS Score: 5.8

Timeline

Timeline using the disclosure date 2016-07-18 as reference:

• 2016-07-18: Python issue bpo-27568 reported by Rémi Rampin
• 2016-07-30 (+12 days): commit 75d7b61 (branch 2.7)
• 2016-07-31 (+13 days): commit 4cbb23f (branch 3.3)
• 2016-12-17 (+152 days): Python 2.7.13 released
• 2016-12-23: Python 3.6.0 released
• 2017-01-17 (+183 days): Python 3.4.6 released
• 2017-01-17 (+183 days): Python 3.5.3 released
• 2017-09-19 (+428 days): Python 3.3.7 released
• 2019-11-27 (+1227 days): CVE-2016-1000110 published

Links

• https://httpoxy.org/
• https://access.redhat.com/security/cve/cve-2016-1000110