Arch Linux Security Advisory ASA-201607-9 ========================================= Severity: High Date : 2016-07-21 CVE-ID : CVE-2016-5385 Package : drupal Type : proxy injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package drupal before version 8.1.7-1 is vulnerable to proxy injection via environment variable. Resolution ========== Upgrade to 8.1.7-1. # pacman -Syu "drupal>=8.1.7-1" The problem has been fixed upstream in version 8.1.7. Workaround ========== Apache (.htaccess) <IfModule mod_headers.c> RequestHeader unset Proxy </IfModule> NGINX/FastCGI fastcgi_param HTTP_PROXY ""; For any other service please visit: https://httpoxy.org/ Description =========== Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. This vulnerability is called 'httpoxy'. httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Impact ====== A remote attacker is able to proxy the outgoing HTTP requests made by the web application, direct the server to open outgoing connections to an address and port of their choosing or tie up server resources by forcing the vulnerable software to use a malicious proxy. References ========== https://access.redhat.com/security/cve/CVE-2016-5385 https://www.drupal.org/SA-CORE-2016-003 https://httpoxy.org/ https://bugzilla.redhat.com/show_bug.cgi?id=1353794