Http Proxy Vulneratbility and Mitigation

By : admin In: Articles, Blog, Security Advisory Blog July 24, 2016

HTTP Proxy Vulnerability [httpoxy] - Understanding and Protecting

 

Http proxy also called as Httpoxy is a scripting vulnerability that affects server-side web application code running in Common Gateway Interface (CGI) environment such as Fast CGI configuration, programming languages like PHP, python, Go etc. VendHQ researchers named this vulnerability as Httproxy.

Httproxy described as set of vulnerabilities impact by a simple namespace conflict:

  • RFC 38875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_Proxy is a most used environment variable used to configure an outgoing proxy.
This leads to a remotely exploitable vulnerability. Well, httproxy is easy to exploit and it can affect many deployments.

Even a number of CVE identifiers have been created that affected programming languages and platforms like:

  • PHP [CVE-2016-5385]
  • Go [CVE-2016-5386]
  • Apache HTTP Server [CVE-2016-5387]
  • Apache Tomcat [CVE-2016-5388]
  • HHVM [CVE-2016-1000109]
  • Python [CVE-2016-1000110]
 

Defeating Http Proxy (httpoxy) Vulnerability:

The quick mitigation to protect from this vulnerability is to block Proxy request headers as soon as possible before your application gets attacked. It is safe because the Proxy headers are undefined by the IETF (Internet Emergency Task Force) and isn’t listed on the IANA’s registry of message headers. So, there will be no standard issue because standers–compliant HTTP clients and servers will never read or send this header.  The application can use a different environmental variable to configure proxy connections.

Blocking a Proxy header depends totally on your setup. Maybe the initially suitable place to block the header might be a web application firewall (WAF) or a web server running Apache or NGINX

Use this solution to mitigate the risk of being vulnerable:

NGINX:

Ubuntu and Debian servers, FastCGI parameter are normally integrated from either the fatcgi.conf or fastcgi_params files when setting up FastCGI proxy, you can unset proxy both of these files.

If you are using NGINX/FastCGI you can use following code to block the header from being passed on to PHP. (Location: /etc/Nginx/sites-enabled/some_site.conf)

fastcgi_param HTTP_PROXY "";  

In FastCGI configuration, simply PHP is vulnerable but not other languages.

Apache:

Similarly if you are using Apache HTTP Server with mod_cgi, then languages like Python and Go may be vulnerable. But if you are using mod_headers module, you can unset the Proxy header.

Instance for using this in .htaccess files:

<IfModule mod_headers.c> RequestHeader unset Proxy </IfModule>  

If you are using mod_security, you can use a SecRule to deny traffic with a Proxy header. Here’s an instance, make sure SecRuleEngine is on. The 1000005 ID has been assigned to the issue.

SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"    

To facilitate mod_headers in Ubuntu or Debian servers, type in terminal:

$ sudo a2enmod headers Then, open the global config file: $ sudo vim /etc/apache2/apache2.conf In the last add: RequestHeader unset Proxy early Simply save and close the file. Afterward, restart the service: $ sudo service apache2 restart

Conclusion

The httpoxy (http proxy) vulnerability can affect many applications deployed on the web and fortunately the solution for this vulnerability is very easy, can be fixed just by altering header from the web server.

  Reference: https://httpoxy.org/