Drupal 8.1.6 HTTP traffic to an arbitrary proxy server

2016.07.19
Credit: Guzzle
Risk: High
Local: No
Remote: Yes
CWE: CWE-284


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Description Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/. CVE identifier(s) issued CVE-2016-5385 Versions affected Drupal core 8.x versions prior to 8.1.7 Solution Install the latest version: If you use Drupal 8.x, upgrade to Drupal core 8.1.7 If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions: .htaccess --------------------------------------- <IfModule mod_headers.c> # Disable Proxy header, since it's an attack vector. RequestHeader unset Proxy </IfModule> --------------------------------------- web.config --------------------------------------- <system.webServer> <rewrite> <rules> <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard"> <match url="*.*" /> <serverVariables> <set name="HTTP_PROXY" value="" /> </serverVariables> <action type="None" /> </rule> </rules> </rewrite> </system.webServer> --------------------------------------- The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings: --------------------------------------- $settings['http_client_config']['proxy']['http'] $settings['http_client_config']['proxy']['https'] $settings['http_client_config']['proxy']['no'] --------------------------------------- If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy. See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.

References:

https://www.drupal.org/project/drupal/releases/8.1.7
https://www.drupal.org/SA-CORE-2016-003


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top