[Mailman-Users] Is mailman vulnerable to the httpoxy bug?
Perry E. Metzger
perry at piermont.com
Fri Jul 22 21:39:50 EDT 2016
On Fri, 22 Jul 2016 09:48:34 -0700 Mark Sapiro <mark at msapiro.net>
> On 07/22/2016 08:55 AM, Perry E. Metzger wrote:
> > On Wed, 20 Jul 2016 12:02:13 -0700 Mark Sapiro
> > <mark at msapiro.net>
> >> I am not an expert on httpoxy at all, but quoting from
> >> <https://httpoxy.org/#top>
> >> "httpoxy is a vulnerability for server-side web applications. If
> >> you’re not deploying code, you don’t need to worry."
> >> Mailman's web UI serves end user HTML pages. It does not deploy
> >> code.
> > Er, it uses CGI scripts, doesn't it? That's what it means to
> > "deploy code" in this context.
> That's not the way I read it,
It works by an attacker inserting an http_proxy header into the
headers which it presents to the web server, which are then passed in
the HTTP_PROXY environment variable to the CGI script. I think that
there aren't many ways to read this.
> but if you think that's the case, then
> you've already decided that Mailman 2.1 is vulnerable depending on
> the specific web server configuration.
I don't know. I don't know if Mailman uses any of the vulnerable
routines that might cause HTTP_PROXY being set to cause trouble.
> GNU Mailman has no control
> over how you set up your web server to serve Mailman's CGI output,
> so your question should be "is my web server configuration
Not entirely, no. You could defend Mailman by interposing code on the
http server of course.
Perry E. Metzger perry at piermont.com
More information about the Mailman-Users