# httpoxy A CGI application vulnerability for PHP, Go, Python and others



## wlanboy (Jul 23, 2016)

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:


RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY

HTTP_PROXY is a popular environment variable used to configure an outgoing proxy


This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.


What can happen if my web application is vulnerable?
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:


Proxy the outgoing HTTP requests made by the web application

Direct the server to open outgoing connections to an address and port of their choosing

Tie up server resources by forcing the vulnerable software to use a malicious proxy


httpoxy is extremely easy to exploit in basic form.


See here: https://httpoxy.org/


The assigned CVEs so far:


CVE-2016-5385: PHP

CVE-2016-5386: Go

CVE-2016-5387: Apache HTTP Server

CVE-2016-5388: Apache Tomcat

CVE-2016-1000109: HHVM

CVE-2016-1000110: Python


CloudFlare sites protected from httpoxy: https://blog.cloudflare.com/cloudflare-sites-protected-from-httpoxy/


----------



## DomainBop (Jul 23, 2016)

quick fixes:


*Nginx debian/ubuntu/CentOS etc*



> echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params



*Nginx FreeBSD*



> echo 'fastcgi_param HTTP_PROXY "";' >> /usr/local/etc/nginx/fastcgi_params



*Apache2 CentOS*



> echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf



*Apache2 Debian Jessie and Ubuntu*



> a2enmod headers



create file



> nano /etc/apache2/conf-available/httpoxy.conf



paste and save: 



> <IfModule mod_headers.c>
> 
> 
> RequestHeader unset Proxy early
> ...





> a2enconf httpoxy



final step: restart Nginx and Apache


edited to add: I spent part of Thursday afternoon applying patches...


----------



## wlanboy (Jul 23, 2016)

*lighttpd:*


```
nano /etc/lighttpd/deny-proxy.lua
content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

nano /etc/lighttpd/lighttpd.conf
content:
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/etc/lighttpd/deny-proxy.lua" )
```


----------



## msgirlchibi (Jul 25, 2016)

thank all


----------



## graeme (Aug 2, 2016)

Python web apps are highly unlikely to be affected. The linked page says "Python code _must be deployed under CGI to be vulnerable"_, and Python CGI scripts are a rarity. In addition to that you need to use a library that uses the HTTP_PROXY environment variable.


----------

