On 7/22/16 6:39 PM, Perry E. Metzger wrote:
It works by an attacker inserting an http_proxy header into the headers which it presents to the web server, which are then passed in the HTTP_PROXY environment variable to the CGI script. I think that there aren't many ways to read this.
And Mailman 2.1's CGIs will do absolutely nothing with an HTTP_PROXY environment variable. They won't look for it even if it's there. They look at things like query strings and POST data to determine what to do and then they write HTML to stdout.
I don't know. I don't know if Mailman uses any of the vulnerable routines that might cause HTTP_PROXY being set to cause trouble.
Mailman 2.1 uses the Python cgi module and uses only cgi.FieldStorage() to retrieve POST data and query fragments.
It uses nothing other than writes to stdout to send any kind of output.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan