Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.
Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."
By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.
A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.
Apply an update
Filter Proxy request headers
If you are using mod_security, you can use a rule like (vary the action to taste):
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
Refer to Apache's response for more information.
httprequest delheader Proxy
lighttpd <= 1.4.40 (reject requests containing "Proxy" header)
Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
lighttpd2 (development) (strip "Proxy" header from request)
Add to lighttpd.conf:
Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.
Nginx with proxy_pass
The following setting should work for people who are using "proxy_pass" with nginx:
proxy_set_header Proxy ;
Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:
Microsoft IIS Mitigation steps:
Update apphost.config with the following rule:
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"*.*" />
<set name=3D"HTTP_PROXY" value=3D />
<action type=3D"None" />
Apache HTTP Server Project Affected
Go Programming Language Affected
Microsoft Corporation Affected
The PHP Group Affected
EfficientIP SAS Not Affected
Arista Networks, Inc. Unknown
Aruba Networks Unknown
Avaya, Inc. Unknown
Belkin, Inc. Unknown
Blue Coat Systems Unknown
CA Technologies Unknown
D-Link Systems, Inc. Unknown
Debian GNU/Linux Unknown
DragonFly BSD Project Unknown
EMC Corporation Unknown
Enterasys Networks Unknown
Extreme Networks Unknown
F5 Networks, Inc. Unknown
Fedora Project Unknown
Force10 Networks Unknown
FreeBSD Project Unknown
Gentoo Linux Unknown
Hardened BSD Unknown
Hewlett Packard Enterprise Unknown
Huawei Technologies Unknown
IBM Corporation Unknown
Intel Corporation Unknown
Internet Systems Consortium Unknown
Juniper Networks Unknown
NEC Corporation Unknown
Openwall GNU/*/Linux Unknown
Oracle Corporation Unknown
Q1 Labs Unknown
QNX Software Systems Inc. Unknown
Red Hat, Inc. Unknown
Ricoh Company Ltd. Unknown
Rockwell Automation Unknown
SUSE Linux Unknown
Secure64 Software Corporation Unknown
Slackware Linux Inc. Unknown
Sony Corporation Unknown
TippingPoint Technologies Inc. Unknown
Wind River Unknown
openSUSE project Unknown
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.
This document was written by Joel Land.