httpoxy A CGI application vulnerability for PHP, Go, Python and others

[wlanboy]

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

• RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  
• HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
  

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.


What can happen if my web application is vulnerable?
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

• Proxy the outgoing HTTP requests made by the web application
  
• Direct the server to open outgoing connections to an address and port of their choosing
  
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
  

httpoxy is extremely easy to exploit in basic form.


See here: https://httpoxy.org/


The assigned CVEs so far:

• CVE-2016-5385: PHP
  
• CVE-2016-5386: Go
  
• CVE-2016-5387: Apache HTTP Server
  
• CVE-2016-5388: Apache Tomcat
  
• CVE-2016-1000109: HHVM
  
• CVE-2016-1000110: Python
  

CloudFlare sites protected from httpoxy: https://blog.cloudflare.com/cloudflare-sites-protected-from-httpoxy/

 

[DomainBop]

quick fixes:


Nginx debian/ubuntu/CentOS etc

echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params

Nginx FreeBSD

echo 'fastcgi_param HTTP_PROXY "";' >> /usr/local/etc/nginx/fastcgi_params

Apache2 CentOS

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

Apache2 Debian Jessie and Ubuntu

a2enmod headers

create file

nano /etc/apache2/conf-available/httpoxy.conf

paste and save: 

<IfModule mod_headers.c>


RequestHeader unset Proxy early


</IfModule>

a2enconf httpoxy

final step: restart Nginx and Apache


edited to add: I spent part of Thursday afternoon applying patches...

 

[wlanboy]

lighttpd:

nano /etc/lighttpd/deny-proxy.lua
content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end

nano /etc/lighttpd/lighttpd.conf
content:
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/etc/lighttpd/deny-proxy.lua" )

 

[msgirlchibi]

thank all

 

[graeme]

Python web apps are highly unlikely to be affected. The linked page says "Python code must be deployed under CGI to be vulnerable", and Python CGI scripts are a rarity. In addition to that you need to use a library that uses the HTTP_PROXY environment variable.