Drupal Core – Highly Critical – Injection Vulnerability – SA-CORE-2016-003
by CIRT Team
Description: httpoxy is a set of vulnerabilities that affect application code running in CGI or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
Impact: Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use.
Mitigation: Vendor has released new version. Upgrade to Drupal core 8.1.7
26 Oct 2023 - Security Advisories & Alerts