Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
This means that if you send any requests from your web server to a CGI engine such as PHP (php-fpm, mod_php), you might be at risk of data leakage as an attacher could easily rewrite the http_proxy environment variable used by the CGI application to send an internal connection through a malicious server.
Fortunately this is easy to patch (simply block the Proxy header) on the web server, e.g:
- NGINX: fastcgi_param HTTP_PROXY "";
- Apache: RequestHeader unset Proxy early