Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.
Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."
By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org.
A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.
Apply an update
Filter Proxy request headers
If you are using mod_security, you can use a rule like (vary the action to taste):
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
Refer to Apache's response for more information.
httprequest delheader Proxy
lighttpd <= 1.4.40 (reject requests containing "Proxy" header)
Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
lighttpd2 (development) (strip "Proxy" header from request)
Add to lighttpd.conf:
Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.
Nginx with proxy_pass
The following setting should work for people who are using "proxy_pass" with nginx:
proxy_set_header Proxy ;
Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:
Microsoft IIS Mitigation steps:
Update apphost.config with the following rule:
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"*.*" />
<set name=3D"HTTP_PROXY" value=3D />
<action type=3D"None" />
Apache HTTP Server Project
Go Programming Language
The PHP Group
Arista Networks, Inc.
Blue Coat Systems
Check Point Software Technologies
D-Link Systems, Inc.
DragonFly BSD Project
F5 Networks, Inc.
Hewlett Packard Enterprise
Internet Systems Consortium
Internet Systems Consortium - DHCP
National Center for Supercomputing Applications
QNX Software Systems Inc.
Red Hat, Inc.
Ricoh Company Ltd.
Secure64 Software Corporation
Slackware Linux Inc.
TippingPoint Technologies Inc.
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.
This document was written by Joel Land.