Debian Bug report logs -
#832571
lighttpd: CVE-2016-1000212: HTTP Server sets environmental variable HTTP_PROXY based on user supplied Proxy request header (httpoxy)
Package:
src:lighttpd;
Maintainer for src:lighttpd is Debian QA Group <packages@qadebianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Dat ...
Dominic Scheirlinck and Scott Geary of Vend reported insecure behavior
in the lighttpd web server Lighttpd assigned Proxy header values from
client requests to internal HTTP_PROXY environment variables, allowing
remote attackers to carry out Man in the Middle (MITM) attacks or
initiate connections to arbitrary hosts
For the stable distribution (j ...
It was discovered that lighttpd class did not properly protect against the HTTP_PROXY variable name clash in a CGI context A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request ...