Browse Source
Strip bogus "Proxy" header before creating subprocess environment. (mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy) Do not emit HTTP_PROXY to subprocess environment. Some executables use HTTP_PROXY to configure outgoing proxy. This is not a lighttpd security issue per se, but this change to lighttpd adds a layer of defense to protect backend processes which might be vulnerable due to blindly using this untrusted environment variable. The HTTP_PROXY environment variable should not be trusted by a program running in a CGI-like environment. Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header: * Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content: if (lighty.request["Proxy"] == nil) then return 0 else return 403 end * Modify lighttpd.conf to load mod_magnet and run lua code server.modules += ( "mod_magnet" ) magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" ) References: https://www.kb.cert.org/vuls/id/797896 CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables https://httpoxy.org/ httpoxy: A CGI application vulnerabilitypersonal/stbuehler/mod-csrf-old
5 changed files with 33 additions and 1 deletions
Loading…
Reference in new issue