Hi Moritz,
On Mon, Jul 25, 2016 at 5:03 PM, Moritz Muehlenhoff <j...@debian.org> wrote:
> Source: yaws
> Severity: normal
> Tags: security
>
> http://seclists.org/oss-sec/2016/q3/95 claims that yaws sets
> HTTP_PROXY based a passed Proxy: header. I don't see any
> evidence for that in the source, but maybe I'm missing something?
Actually, it does set HTTP_PROXY if the Proxy: header is passed to it.
You can see in src/yaws.erl (lines 2537-2542 in 2.0.3) it collects all
unknown headers to the "other" headers collection:
%% auxiliary headers we don't have builtin support for
{ok, X} ->
?Debug("OTHER header ~p~n", [X]),
http_collect_headers(CliSock, Req,
H#headers{other=[X|H#headers.other]},
SSL, Count+1);
And in src/yaws_cgi.erl (lines 370-373 in 2.0.3) it passes all the "other"
headers to the CGI script environment (with HTTP_ prepended, so Proxy
becomes HTTP_PROXY, the tohttp function does exaclty that):
{"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
H#headers.other)
)) ++
So, YAWS is vulnerable. How do you think we should fix this?
Cheers!
--
Sergei Golovan
