On Fri, 22 Jul 2016 09:48:34 -0700 Mark Sapiro <mark@msapiro.net> wrote:
On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro <mark@msapiro.net>
I am not an expert on httpoxy at all, but quoting from <https://httpoxy.org/#top>
"httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry."
Mailman's web UI serves end user HTML pages. It does not deploy code.
Er, it uses CGI scripts, doesn't it? That's what it means to "deploy code" in this context.
That's not the way I read it,
It works by an attacker inserting an http_proxy header into the headers which it presents to the web server, which are then passed in the HTTP_PROXY environment variable to the CGI script. I think that there aren't many ways to read this.
but if you think that's the case, then you've already decided that Mailman 2.1 is vulnerable depending on the specific web server configuration.
I don't know. I don't know if Mailman uses any of the vulnerable routines that might cause HTTP_PROXY being set to cause trouble.
GNU Mailman has no control over how you set up your web server to serve Mailman's CGI output, so your question should be "is my web server configuration vulnerable?".
Not entirely, no. You could defend Mailman by interposing code on the http server of course.
Perry
Perry E. Metzger perry@piermont.com