Advertisement






Drupal 8.1.6 HTTP traffic to an arbitrary proxy server

CVE Category Price Severity
CVE-2016-5385 CWE-284 $1,000 High
Author Risk Exploitation Type Date
Philippe Dubost Critical Remote 2016-07-19
CPE
cpe:cpe:/a:drupal:drupal:8.1.6
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 0 0

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016070150

Below is a copy:

Drupal 8.1.6 HTTP traffic to an arbitrary proxy server Description
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

CVE identifier(s) issued
CVE-2016-5385

Versions affected
Drupal core 8.x versions prior to 8.1.7

Solution
Install the latest version:
If you use Drupal 8.x, upgrade to Drupal core 8.1.7
If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue.

This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:

.htaccess
---------------------------------------
<IfModule mod_headers.c>
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy
</IfModule>
---------------------------------------


web.config
---------------------------------------
<system.webServer>
  <rewrite>
    <rules>
      <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
        <match url="*.*" />
        <serverVariables>
          <set name="HTTP_PROXY" value="" />
        </serverVariables>
        <action type="None" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>
---------------------------------------

The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:

---------------------------------------
$settings['http_client_config']['proxy']['http']
$settings['http_client_config']['proxy']['https']
$settings['http_client_config']['proxy']['no']
---------------------------------------

If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.

See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.




Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.