Dan on Security
Register | Login
HTTPoxy - Web/CGI Data Leakage Vulnerability
https://nakedsecurity.sophos.com/2016/07/19/httpoxy-the-disease-that-could-make-your-web-server-spring-a-leak/

Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: - RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
This means that if you send any requests from your web server to a CGI engine such as PHP (php-fpm, mod_php), you might be at risk of data leakage as an attacher could easily rewrite the http_proxy environment variable used by the CGI application to send an internal connection through a malicious server.

Fortunately this is easy to patch (simply block the Proxy header) on the web server, e.g:
- NGINX: fastcgi_param HTTP_PROXY "";
- Apache: RequestHeader unset Proxy early
- Others

Tags: vulnerability httpoxy
More from: nakedsecurity.sophos.com


show/hide source |

Comments

No comments found :-( To post a comment, please log in