Vulnerability Note VU#797896
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables
Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.
Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."
By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.
A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.
Apply an update
Filter Proxy request headers
In this configuration, any language may be vulnerable (the HTTP_PROXY env var is "real"). If you are using mod_headers , you can unset the "Proxy" header with this directive:
RequestHeader unset Proxy
If you are using mod_security, you can use a rule like (vary the action to taste):
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
Refer to Apache's response for more information.
httprequest delheader Proxy
Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
Modify lighttpd.conf to load mod_magnet and run lua code
server.modules += ( "mod_magnet" )
magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
lighttpd2 (development) (strip "Proxy" header from request)
Add to lighttpd.conf:
Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.
fastcgi_param HTTP_PROXY "";
The following setting should work for people who are using "proxy_pass" with nginx:
proxy_set_header Proxy "";
Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:
Update apphost.config with the following rule:
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"*.*" />
<set name=3D"HTTP_PROXY" value=3D"" />
<action type=3D"None" />
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache HTTP Server Project||Affected||12 Jul 2016||18 Jul 2016|
|Go Programming Language||Affected||-||18 Jul 2016|
|HAProxy||Affected||-||13 Jul 2016|
|HHVM||Affected||-||18 Jul 2016|
|lighttpd||Affected||-||19 Jul 2016|
|Microsoft Corporation||Affected||12 Jul 2016||13 Jul 2016|
|nginx||Affected||-||13 Jul 2016|
|Python||Affected||-||18 Jul 2016|
|The PHP Group||Affected||-||18 Jul 2016|
|EfficientIP SAS||Not Affected||12 Jul 2016||12 Jul 2016|
|ACCESS||Unknown||12 Jul 2016||12 Jul 2016|
|Alcatel-Lucent||Unknown||12 Jul 2016||12 Jul 2016|
|Apple||Unknown||12 Jul 2016||12 Jul 2016|
|Arista Networks, Inc.||Unknown||12 Jul 2016||12 Jul 2016|
|ARRIS||Unknown||12 Jul 2016||12 Jul 2016|
CVSS Metrics (Learn More)
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2016-5385 CVE-2016-5386 CVE-2016-5387 CVE-2016-5388 CVE-2016-1000109 CVE-2016-1000110
- Date Public: 18 Jul 2016
- Date First Published: 18 Jul 2016
- Date Last Updated: 19 Jul 2016
- Document Revision: 65
If you have feedback, comments, or additional information about this vulnerability, please send us email.