Description
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.
CVE identifier(s) issued
CVE-2016-5385
Versions affected
Drupal core 8.x versions prior to 8.1.7
Solution
Install the latest version:
If you use Drupal 8.x, upgrade to Drupal core 8.1.7
If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue.
This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:
.htaccess
---------------------------------------
<IfModule mod_headers.c>
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
---------------------------------------
web.config
---------------------------------------
<system.webServer>
<rewrite>
<rules>
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
</rules>
</rewrite>
</system.webServer>
---------------------------------------
The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:
---------------------------------------
$settings['http_client_config']['proxy']['http']
$settings['http_client_config']['proxy']['https']
$settings['http_client_config']['proxy']['no']
---------------------------------------
If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.
See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.