[issue2550925] Is roundup affected by faked HTTP_PROXY cgi setting?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

[issue2550925] Is roundup affected by faked HTTP_PROXY cgi setting?

John Rouillard

New submission from John Rouillard:

Details at: https://httpoxy.org/

Basic idea AFAICT after a fast read.

If an HTTP header called PROXY is sent by the client, the CGI will see
that in its environment as HTTP_PROXY.

If the server does any http url retrievals (i.e. acts as an http
client), it may use HTTP_PROXY as it is a well known environment
variable for setting a proxy for an http client.

AFAIK the roundup core does no HTTP retrievals. However detectors and
the concept behind issue2550923 (Create new Computed property type)
could certainly do remote rest or oher http lookups.

I think this can be defended from by erasing the HTTP_PROXY setting in
the env array. People that require http proxies in their detectors
etc. can set that in the config.ini and explicitly use it.

messages: 5871
nosy: rouilj
severity: normal
status: new
title: Is roundup affected by faked HTTP_PROXY cgi setting?
type: security

Roundup tracker <[hidden email]>

What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
Roundup-devel mailing list
[hidden email]