Overview
Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.
Description
CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454: External Initialization of Trusted Variables or Data Stores Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."
By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. For more information, refer to httpoxy.org. |
Impact
A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. |
Solution
Apply an update |
Filter Proxy request headers
If you are using mod_security, you can use a rule like (vary the action to taste):
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'" Refer to Apache's response for more information. HAProxy httprequest delheader Proxy lighttpd <= 1.4.40 (reject requests containing "Proxy" header) Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" ) lighttpd2 (development) (strip "Proxy" header from request) Add to lighttpd.conf:
Nginx/FastCGI Use this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.
Nginx with proxy_pass The following setting should work for people who are using "proxy_pass" with nginx: proxy_set_header Proxy ; Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks: Microsoft IIS Mitigation steps: Update apphost.config with the following rule: <system.webServer> <rewrite> <rules> <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard"> <match url=3D"*.*" /> <serverVariables> <set name=3D"HTTP_PROXY" value=3D /> </serverVariables> <action type=3D"None" /> </rule> </rules> </rewrite> </system.webServer> |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Temporal | 4.6 | E:POC/RL:ND/RC:C |
| Environmental | 1.1 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110 |
| Date Public: | 2016-07-18 |
| Date First Published: | 2016-07-18 |
| Date Last Updated: | 2016-07-19 17:04 UTC |
| Document Revision: | 66 |