Author Alex.Raitz
Recipients Alex.Raitz, pje
Date 2011-01-04.22:40:28
SpamBayes Score 0.000108729
Marked as misclassified No
Message-id <1294180834.68.0.172225901177.issue10751@psf.upfronthosting.co.za>
In-reply-to
Content
Per the first line of my previous comment, please ignore HTTP_REMOTE_USER.

The risk is that if the proxy does not place the user-supplied 'remote-user=VALUE1' before the proxy-supplied 'REMOTE_USER=VALUE2', wsgiref will overload REMOTE_USER with the value of REMOTE-USER.

1) Client supplies 'REMOTE-USER=admin'
2) Proxy adds 'REMOTE_USER=normal_user' and appends 'REMOTE-USER=admin'
3) Server using wsgiref processes header key/value 'REMOTE_USER=normal_user' and performs lowercase/replace, resulting in 'remote_user=normal_user'
4) Server using wsgiref continues to process the header, performs lowercase/replace on 'REMOTE-USER=admin', resulting in 'remote_user=admin', which overloads the proxy-supplied value for 'remote_user' and allows for arbitrary privilege escalation.
History
Date User Action Args
2011-01-04 22:40:34Alex.Raitzsetrecipients: + Alex.Raitz, pje
2011-01-04 22:40:34Alex.Raitzsetmessageid: <1294180834.68.0.172225901177.issue10751@psf.upfronthosting.co.za>
2011-01-04 22:40:29Alex.Raitzlinkissue10751 messages
2011-01-04 22:40:29Alex.Raitzcreate