Vulnerabilities > CVE-2016-1000111 - Forced Browsing vulnerability in Twisted
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Directory Indexing An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
- Forceful Browsing An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0273.NASL description An update is now available for Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 06 Feb 2018] This advisory has been updated with the correct solution. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. This update fixes the following bugs : * Upgrades from Satellite 6.2 to Satellite 6.3 were failing due to the use of certificates with custom authorities. These upgrade paths now work. (BZ# 1523880, BZ#1527963) * Additional tooling is provided to support data validation when upgrading from Satellite 6.2 to Satellite 6.3. (BZ#1519904) * Several memory usage bugs in goferd and qpid have been resolved. (BZ# 1319165, BZ#1318015, BZ#1492355, BZ#1491160, BZ#1440235) * The performance of Puppet reporting and errata applicability has been improved. (BZ#1465146, BZ#1482204) * Upgrading from 6.2.10 to 6.2.11 without correctly stopping services can cause the upgrade to fail on removing qpid data. This case is now handled properly. (BZ#1482539) * The cipher suites for the Puppet server can now be configured by the installation process. (BZ#1491363) * The default cipher suite for the Apache server is now more secure by default. (BZ#1467434) * The Pulp server contained in Satellite has been enhanced to better handle concurrent processing of errata applicability for a single host and syncing Puppet repositories. (BZ#1515195, BZ#1421594) * VDC subscriptions create guest pools which are for a single host only. Administrators were attaching these pools to activation keys which was incorrect. The ability to do this has been disabled. (BZ#1369189) * Satellite was not susceptible to RHSA-2016:1978 but security scanners would incorrectly flag this as an issue. The package from this errata is now delivered in the Satellite channel to avoid these false positives. (BZ# 1497337) * OpenScap report parsing resulted in a memory leak. This leak has been fixed. (BZ#1454743) * The validation on the length of names for docker containers and repositories was too restrictive. Names can now be longer. (BZ#1424689) Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs. last seen 2020-03-18 modified 2018-02-06 plugin id 106615 published 2018-02-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106615 title RHEL 6 / 7 : Red Hat Satellite 6 (RHSA-2018:0273) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1978.NASL description An update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-03-18 modified 2016-10-03 plugin id 93826 published 2016-10-03 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93826 title RHEL 6 / 7 : python-twisted-web (RHSA-2016:1978) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1482.NASL description This update for python-Twisted fixes the following issues : - No longer automatically export the http_proxy environment variable to avoid the proxy being trusted by unaware applications, if a Proxy request header is supplied (boo#989997, CVE-2016-1000111) last seen 2020-06-05 modified 2016-12-16 plugin id 95911 published 2016-12-16 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95911 title openSUSE Security Update : python-Twisted (openSUSE-2016-1482) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0114-1.NASL description This update for python-Twisted fixes the following issues : - CVE-2016-1000111: sets environmental variable HTTP_PROXY based on user supplied Proxy request header (bsc#989997) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 119991 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119991 title SUSE SLES12 Security Update : python-Twisted (SUSE-SU-2017:0114-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3585-1.NASL description It was discovered that Twisted incorrectly handled certain HTTP requests. An attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2018-03-06 plugin id 107146 published 2018-03-06 reporter Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107146 title Ubuntu 14.04 LTS / 16.04 LTS : twisted vulnerability (USN-3585-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-1978.NASL description From Red Hat Security Advisory 2016:1978 : An update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-03-18 modified 2016-09-30 plugin id 93804 published 2016-09-30 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93804 title Oracle Linux 6 / 7 : python-twisted-web (ELSA-2016-1978) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-760.NASL description It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. last seen 2020-03-17 modified 2016-10-28 plugin id 94342 published 2016-10-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94342 title Amazon Linux AMI : python-twisted-web (ALAS-2016-760) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-1978.NASL description An update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. last seen 2020-03-17 modified 2016-09-30 plugin id 93803 published 2016-09-30 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93803 title CentOS 6 / 7 : python-twisted-web (CESA-2016:1978)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
- https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
- https://twistedmatrix.com/trac/ticket/8623
- https://twistedmatrix.com/trac/ticket/8623
- https://www.openwall.com/lists/oss-security/2016/07/18/6
- https://www.openwall.com/lists/oss-security/2016/07/18/6