Vulnerabilities > CVE-2016-1000111 - Forced Browsing vulnerability in Twistedmatrix Twisted

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
twistedmatrix
CWE-425
nessus

Summary

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Forceful Browsing
    An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0273.NASL
    descriptionAn update is now available for Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 06 Feb 2018] This advisory has been updated with the correct solution. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. This update fixes the following bugs : * Upgrades from Satellite 6.2 to Satellite 6.3 were failing due to the use of certificates with custom authorities. These upgrade paths now work. (BZ# 1523880, BZ#1527963) * Additional tooling is provided to support data validation when upgrading from Satellite 6.2 to Satellite 6.3. (BZ#1519904) * Several memory usage bugs in goferd and qpid have been resolved. (BZ# 1319165, BZ#1318015, BZ#1492355, BZ#1491160, BZ#1440235) * The performance of Puppet reporting and errata applicability has been improved. (BZ#1465146, BZ#1482204) * Upgrading from 6.2.10 to 6.2.11 without correctly stopping services can cause the upgrade to fail on removing qpid data. This case is now handled properly. (BZ#1482539) * The cipher suites for the Puppet server can now be configured by the installation process. (BZ#1491363) * The default cipher suite for the Apache server is now more secure by default. (BZ#1467434) * The Pulp server contained in Satellite has been enhanced to better handle concurrent processing of errata applicability for a single host and syncing Puppet repositories. (BZ#1515195, BZ#1421594) * VDC subscriptions create guest pools which are for a single host only. Administrators were attaching these pools to activation keys which was incorrect. The ability to do this has been disabled. (BZ#1369189) * Satellite was not susceptible to RHSA-2016:1978 but security scanners would incorrectly flag this as an issue. The package from this errata is now delivered in the Satellite channel to avoid these false positives. (BZ# 1497337) * OpenScap report parsing resulted in a memory leak. This leak has been fixed. (BZ#1454743) * The validation on the length of names for docker containers and repositories was too restrictive. Names can now be longer. (BZ#1424689) Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.
    last seen2020-03-18
    modified2018-02-06
    plugin id106615
    published2018-02-06
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106615
    titleRHEL 6 / 7 : Red Hat Satellite 6 (RHSA-2018:0273)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1978.NASL
    descriptionAn update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen2020-03-18
    modified2016-10-03
    plugin id93826
    published2016-10-03
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93826
    titleRHEL 6 / 7 : python-twisted-web (RHSA-2016:1978)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1482.NASL
    descriptionThis update for python-Twisted fixes the following issues : - No longer automatically export the http_proxy environment variable to avoid the proxy being trusted by unaware applications, if a Proxy request header is supplied (boo#989997, CVE-2016-1000111)
    last seen2020-06-05
    modified2016-12-16
    plugin id95911
    published2016-12-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95911
    titleopenSUSE Security Update : python-Twisted (openSUSE-2016-1482)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0114-1.NASL
    descriptionThis update for python-Twisted fixes the following issues : - CVE-2016-1000111: sets environmental variable HTTP_PROXY based on user supplied Proxy request header (bsc#989997) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119991
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119991
    titleSUSE SLES12 Security Update : python-Twisted (SUSE-SU-2017:0114-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3585-1.NASL
    descriptionIt was discovered that Twisted incorrectly handled certain HTTP requests. An attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2018-03-06
    plugin id107146
    published2018-03-06
    reporterUbuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107146
    titleUbuntu 14.04 LTS / 16.04 LTS : twisted vulnerability (USN-3585-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-1978.NASL
    descriptionFrom Red Hat Security Advisory 2016:1978 : An update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen2020-03-18
    modified2016-09-30
    plugin id93804
    published2016-09-30
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93804
    titleOracle Linux 6 / 7 : python-twisted-web (ELSA-2016-1978)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-760.NASL
    descriptionIt was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
    last seen2020-03-17
    modified2016-10-28
    plugin id94342
    published2016-10-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94342
    titleAmazon Linux AMI : python-twisted-web (ALAS-2016-760)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-1978.NASL
    descriptionAn update for python-twisted-web is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es) : * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Note: After this update, python-twisted-web will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.
    last seen2020-03-17
    modified2016-09-30
    plugin id93803
    published2016-09-30
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93803
    titleCentOS 6 / 7 : python-twisted-web (CESA-2016:1978)

Redhat

advisories
bugzilla
id1357345
titleCVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • commentpython-twisted-web is earlier than 0:8.2.0-5.el6_8
      ovaloval:com.redhat.rhsa:tst:20161978001
    • commentpython-twisted-web is signed with Red Hat redhatrelease2 key
      ovaloval:com.redhat.rhsa:tst:20161978002
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • commentpython-twisted-web is earlier than 0:12.1.0-5.el7_2
      ovaloval:com.redhat.rhsa:tst:20161978004
    • commentpython-twisted-web is signed with Red Hat redhatrelease2 key
      ovaloval:com.redhat.rhsa:tst:20161978002
rhsa
idRHSA-2016:1978
released2016-09-29
severityImportant
titleRHSA-2016:1978: python-twisted-web security update (Important)
rpms
  • python-twisted-web-0:12.1.0-5.el7_2
  • python-twisted-web-0:8.2.0-5.el6_8
  • candlepin-0:0.9.54.26-1.el6
  • candlepin-0:0.9.54.26-1.el7
  • candlepin-selinux-0:0.9.54.26-1.el6
  • candlepin-selinux-0:0.9.54.26-1.el7
  • foreman-0:1.11.0.86-1.el6sat
  • foreman-0:1.11.0.86-1.el7sat
  • foreman-compute-0:1.11.0.86-1.el6sat
  • foreman-compute-0:1.11.0.86-1.el7sat
  • foreman-debug-0:1.11.0.86-1.el6sat
  • foreman-debug-0:1.11.0.86-1.el7sat
  • foreman-ec2-0:1.11.0.86-1.el6sat
  • foreman-ec2-0:1.11.0.86-1.el7sat
  • foreman-gce-0:1.11.0.86-1.el6sat
  • foreman-gce-0:1.11.0.86-1.el7sat
  • foreman-installer-1:1.11.0.18-1.el6sat
  • foreman-installer-1:1.11.0.18-1.el7sat
  • foreman-installer-katello-0:3.0.0.101-1.el6sat
  • foreman-installer-katello-0:3.0.0.101-1.el7sat
  • foreman-libvirt-0:1.11.0.86-1.el6sat
  • foreman-libvirt-0:1.11.0.86-1.el7sat
  • foreman-openstack-0:1.11.0.86-1.el6sat
  • foreman-openstack-0:1.11.0.86-1.el7sat
  • foreman-ovirt-0:1.11.0.86-1.el6sat
  • foreman-ovirt-0:1.11.0.86-1.el7sat
  • foreman-postgresql-0:1.11.0.86-1.el6sat
  • foreman-postgresql-0:1.11.0.86-1.el7sat
  • foreman-rackspace-0:1.11.0.86-1.el6sat
  • foreman-rackspace-0:1.11.0.86-1.el7sat
  • foreman-vmware-0:1.11.0.86-1.el6sat
  • foreman-vmware-0:1.11.0.86-1.el7sat
  • katello-0:3.0.0-33.el6sat
  • katello-0:3.0.0-33.el7sat
  • katello-capsule-0:3.0.0-33.el6sat
  • katello-capsule-0:3.0.0-33.el7sat
  • katello-common-0:3.0.0-33.el6sat
  • katello-common-0:3.0.0-33.el7sat
  • katello-debug-0:3.0.0-33.el6sat
  • katello-debug-0:3.0.0-33.el7sat
  • katello-installer-base-0:3.0.0.101-1.el6sat
  • katello-installer-base-0:3.0.0.101-1.el7sat
  • katello-service-0:3.0.0-33.el6sat
  • katello-service-0:3.0.0-33.el7sat
  • libqpid-dispatch-0:0.4-27.el6sat
  • libqpid-dispatch-0:0.4-27.el7sat
  • pulp-admin-client-0:2.8.7.18-1.el6sat
  • pulp-admin-client-0:2.8.7.18-1.el7sat
  • pulp-nodes-child-0:2.8.7.18-1.el6sat
  • pulp-nodes-child-0:2.8.7.18-1.el7sat
  • pulp-nodes-common-0:2.8.7.18-1.el6sat
  • pulp-nodes-common-0:2.8.7.18-1.el7sat
  • pulp-nodes-parent-0:2.8.7.18-1.el6sat
  • pulp-nodes-parent-0:2.8.7.18-1.el7sat
  • pulp-puppet-admin-extensions-0:2.8.7.2-1.el6sat
  • pulp-puppet-admin-extensions-0:2.8.7.2-1.el7sat
  • pulp-puppet-plugins-0:2.8.7.2-1.el6sat
  • pulp-puppet-plugins-0:2.8.7.2-1.el7sat
  • pulp-puppet-tools-0:2.8.7.2-1.el6sat
  • pulp-puppet-tools-0:2.8.7.2-1.el7sat
  • pulp-selinux-0:2.8.7.18-1.el6sat
  • pulp-selinux-0:2.8.7.18-1.el7sat
  • pulp-server-0:2.8.7.18-1.el6sat
  • pulp-server-0:2.8.7.18-1.el7sat
  • python-pulp-agent-lib-0:2.8.7.18-1.el6sat
  • python-pulp-agent-lib-0:2.8.7.18-1.el7sat
  • python-pulp-bindings-0:2.8.7.18-1.el6sat
  • python-pulp-bindings-0:2.8.7.18-1.el7sat
  • python-pulp-client-lib-0:2.8.7.18-1.el6sat
  • python-pulp-client-lib-0:2.8.7.18-1.el7sat
  • python-pulp-common-0:2.8.7.18-1.el6sat
  • python-pulp-common-0:2.8.7.18-1.el7sat
  • python-pulp-oid_validation-0:2.8.7.18-1.el6sat
  • python-pulp-oid_validation-0:2.8.7.18-1.el7sat
  • python-pulp-puppet-common-0:2.8.7.2-1.el6sat
  • python-pulp-puppet-common-0:2.8.7.2-1.el7sat
  • python-pulp-repoauth-0:2.8.7.18-1.el6sat
  • python-pulp-repoauth-0:2.8.7.18-1.el7sat
  • python-pulp-streamer-0:2.8.7.18-1.el6sat
  • python-pulp-streamer-0:2.8.7.18-1.el7sat
  • python-qpid-proton-0:0.9-21.el6
  • python-qpid-proton-0:0.9-21.el7
  • python-twisted-web-0:12.1.0-5.el7_2
  • qpid-dispatch-debuginfo-0:0.4-27.el6sat
  • qpid-dispatch-debuginfo-0:0.4-27.el7sat
  • qpid-dispatch-router-0:0.4-27.el6sat
  • qpid-dispatch-router-0:0.4-27.el7sat
  • qpid-dispatch-tools-0:0.4-27.el6sat
  • qpid-dispatch-tools-0:0.4-27.el7sat
  • qpid-proton-c-0:0.9-21.el6
  • qpid-proton-c-0:0.9-21.el7
  • qpid-proton-debuginfo-0:0.9-21.el6
  • qpid-proton-debuginfo-0:0.9-21.el7
  • rubygem-smart_proxy_openscap-0:0.5.3.9-2.el6sat
  • rubygem-smart_proxy_openscap-0:0.5.3.9-2.el7sat
  • satellite-0:6.2.14-4.0.el6sat
  • satellite-0:6.2.14-4.0.el7sat
  • satellite-capsule-0:6.2.14-4.0.el6sat
  • satellite-capsule-0:6.2.14-4.0.el7sat
  • satellite-cli-0:6.2.14-4.0.el6sat
  • satellite-cli-0:6.2.14-4.0.el7sat
  • satellite-debug-tools-0:6.2.14-4.0.el6sat
  • satellite-debug-tools-0:6.2.14-4.0.el7sat
  • tfm-rubygem-foreman_theme_satellite-0:0.1.47.2-1.el6sat
  • tfm-rubygem-foreman_theme_satellite-0:0.1.47.2-1.el7sat
  • tfm-rubygem-katello-0:3.0.0.162-1.el6sat
  • tfm-rubygem-katello-0:3.0.0.162-1.el7sat
  • tfm-rubygem-katello_ostree-0:3.0.0.162-1.el7sat