httpoxy A CGI application vulnerability for PHP, Go, Python and others


Content Contributer
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.

What can happen if my web application is vulnerable?
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form.

See here:

The assigned CVEs so far:

  • CVE-2016-5385: PHP
  • CVE-2016-5386: Go
  • CVE-2016-5387: Apache HTTP Server
  • CVE-2016-5388: Apache Tomcat
  • CVE-2016-1000109: HHVM
  • CVE-2016-1000110: Python

CloudFlare sites protected from httpoxy:
Last edited by a moderator:


Dormant VPSB Pathogen
quick fixes:

Nginx debian/ubuntu/CentOS etc

echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params
Nginx FreeBSD

echo 'fastcgi_param HTTP_PROXY "";' >> /usr/local/etc/nginx/fastcgi_params
Apache2 CentOS

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf
Apache2 Debian Jessie and Ubuntu

a2enmod headers
create file

nano /etc/apache2/conf-available/httpoxy.conf
paste and save: 

<IfModule mod_headers.c>

RequestHeader unset Proxy early

a2enconf httpoxy
final step: restart Nginx and Apache

edited to add: I spent part of Thursday afternoon applying patches...
Last edited by a moderator:


Content Contributer

nano /etc/lighttpd/deny-proxy.lua
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

nano /etc/lighttpd/lighttpd.conf
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/etc/lighttpd/deny-proxy.lua" )
Last edited by a moderator:


Active Member
Python web apps are highly unlikely to be affected. The linked page says "Python code must be deployed under CGI to be vulnerable", and Python CGI scripts are a rarity. In addition to that you need to use a library that uses the HTTP_PROXY environment variable.