Drupal Core – Highly Critical – Injection Vulnerability – SA-CORE-2016-003

Description: httpoxy is a set of vulnerabilities that affect application code running in CGI or CGI-like environments. It comes down to a simple namespace conflict:

  1. RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  2. HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

Impact: Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use.

Mitigation: Vendor has released new version. Upgrade to Drupal core 8.1.7

Reference URL’s: