bch

2016-07-18 httpoxy: A CGI application vulnerability (CVE-2016-5385, CVE-2016-5387, CVE-2016-1000110)

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.

A number of CVEs have been assigned, covering specific languages and CGI implementations:

  • CVE-2016-5385: PHP
  • CVE-2016-5386: Go
  • CVE-2016-5387: Apache HTTP Server
  • CVE-2016-5388: Apache Tomcat
  • CVE-2016-1000109: HHVM
  • CVE-2016-1000110: Python

Find more information about the vulnerability on the httpoxy website.

How to patch it

The most immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. This is easy and safe.

Apache

Follow these steps:

  • Modify the IfModule headers_module in the /opt/bitnami/apache2/conf/httpd.conf file to unset the Proxy header. It will look like this:

    <IfModule headers_module>
        RequestHeader unset Proxy
        <IfVersion >= 2.4.7 >
            Header always setifempty X-Frame-Options SAMEORIGIN
        </IfVersion>
        <IfVersion < 2.4.7 >
            Header always merge X-Frame-Options SAMEORIGIN
        </IfVersion>
    </IfModule>
    
  • Save the file and restart the service:

    $ sudo /opt/bitnami/ctlscript.sh restart apache
    

Nginx

Follow these steps:

  • Add this line at the end of the /opt/bitnami/nginx/conf/fastcgi_params file:

    fastcgi_param  HTTP_PROXY "";
    
  • Save the file and restart the service:

    $ sudo /opt/bitnami/ctlscript.sh restart nginx
    

How to check that the Proxy request headers are blocked

Follow these steps:

  • Create a httpoxy.php file at the Apache document root:

    <?php
    if (isset($_SERVER['HTTP_PROXY']) && $_SERVER['HTTP_PROXY'] == 'vulnerable') {
      echo 'Vulnerable!';
    }
    
  • Run the following command at the server console:

    $ curl --header "Proxy: vulnerable" http://localhost/httpoxy.php
    

    It will print “Vulnerable!” if the server is vulnerable.