amuck-landowner

httpoxy A CGI application vulnerability for PHP, Go, Python and others

wlanboy

Content Contributer
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.


What can happen if my web application is vulnerable?
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form.


See here: https://httpoxy.org/


The assigned CVEs so far:

  • CVE-2016-5385: PHP
  • CVE-2016-5386: Go
  • CVE-2016-5387: Apache HTTP Server
  • CVE-2016-5388: Apache Tomcat
  • CVE-2016-1000109: HHVM
  • CVE-2016-1000110: Python

CloudFlare sites protected from httpoxy: https://blog.cloudflare.com/cloudflare-sites-protected-from-httpoxy/
 
Last edited by a moderator:

DomainBop

Dormant VPSB Pathogen
quick fixes:


Nginx debian/ubuntu/CentOS etc

echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params

Nginx FreeBSD

echo 'fastcgi_param HTTP_PROXY "";' >> /usr/local/etc/nginx/fastcgi_params

Apache2 CentOS

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

Apache2 Debian Jessie and Ubuntu

a2enmod headers

create file

nano /etc/apache2/conf-available/httpoxy.conf

paste and save: 

<IfModule mod_headers.c>


RequestHeader unset Proxy early


</IfModule>
a2enconf httpoxy

final step: restart Nginx and Apache


edited to add: I spent part of Thursday afternoon applying patches...
 
Last edited by a moderator:

wlanboy

Content Contributer
lighttpd:

Code:
nano /etc/lighttpd/deny-proxy.lua
content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

nano /etc/lighttpd/lighttpd.conf
content:
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/etc/lighttpd/deny-proxy.lua" )
 
Last edited by a moderator:

graeme

Active Member
Python web apps are highly unlikely to be affected. The linked page says "Python code must be deployed under CGI to be vulnerable", and Python CGI scripts are a rarity. In addition to that you need to use a library that uses the HTTP_PROXY environment variable.
 
Top
amuck-landowner