Hello, welcome to the Tuesday, July 19th, 2016 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Orich, and the time recording from Minneapolis, Minnesota.

And yet again, we got a vulnerability that comes with its own logo, website, and name.

Oxy this time.

Now, this vulnerability deals with how some web application

deal with proxy headers that are being sent by users. The root cause of this issue is that

some web applications use an environment variable HTTP, in order to indicate if outbound

requests should be sent via a specific proxy. Now, this environment variable could potentially

be overwritten depending on how your web application is configured by an proxy header that's being sent by the user.

Because typically, and according to the CGI specification, any header being sent by the user

is converted to an environment variable, HTTP underscore, and then the name of the header.

So if the user sends a proxy header then

the web application framework CGI will create an environment variable

HTTP underscore proxy which then potentially overrides the environment

variable that the application set beforehand, for example, via a

configuration file. And then of course, if a request with such a header trickers an outbound

ATP request, that outbound HTTP request be sent then via the proxy, which could theoretically

lead to interception of the traffic Byn Tacker.

Now applicability of this vulnerability is limited.

They're only very specific frameworks that are vulnerable.

Also, it does depend on the configuration of the particular web application.

If you're running plain CGI, you're more likely

...