[Mailman-Users] Is mailman vulnerable to the httpoxy bug?
Perry E. Metzger
perry at piermont.com
Sat Jul 23 11:23:25 EDT 2016
On Sat, 23 Jul 2016 16:36:30 +0900 "Stephen J. Turnbull"
<turnbull.stephen.fw at u.tsukuba.ac.jp> wrote:
> > It works by an attacker inserting an http_proxy header into the
> > headers which it presents to the web server, which are then
> > passed in the HTTP_PROXY environment variable to the CGI script.
> > I think that there aren't many ways to read this.
>
> Erm, here's what the site says:
>
> What can happen if my web application is vulnerable?
> If a vulnerable HTTP client makes an outgoing HTTP connection,
> while running in a server-side CGI application,
>
> Note the *in a server-side CGI*. AFAICS, we're done: we're safe.
You're misinterpreting. The issue is that some server side systems
also use web APIs of various kinds.
> Mailman (as we distribute it) doesn't make *outgoing* HTTP
> connections, it sends responses to incoming requests.
So that makes it invulnerable, yes.
> BTW, the Mailman 3 bundled Django applications Postorius and
> HyperKitty are also apparently safe from this vulnerability even
> though they make outgoing HTTP connections to the Mailman core,
> since they are WSGI applications:
>
> wsgi, for example, is not vulnerable, because os.environ is not
> polluted by CGI data
> (from http://httpoxy.org)
Well, actually, if you read more, apps using
wsgiref.handlers.CGIHandler are (apparently) vulnerable, unless I'm
misreading.
> > > GNU Mailman has no control over how you set up your web server
> > > to serve Mailman's CGI output, so your question should be "is
> > > my web server configuration vulnerable?".
> >
> > Not entirely, no. You could defend Mailman by interposing code
> > on the http server of course.
>
> I don't understand. If you mean between Mailman and the HTTP
> server, that's site configuration and Mark's question applies. If
> you mean in Mailman itself (and the Python modules it calls), I
> guess you mean the "belt and suspenders" approach? (In fact the
> RightThang to do there would be to remove all envvars that Mailman
> itself doesn't depend on, with the same risk of bugs, of course.)
What I meant was that you can do things on the web server side like
altering your handling of http_proxy (which is what I did on my web
servers as soon as this came out). I would agree that nuking any
environment variable that you don't know that you need is probably a
good idea in general. It increases safety.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the Mailman-Users
mailing list