How to fix Httpoxy a CGI PHP/Nginx/Apache/Go application vulnerability on Linux or Unix

Posted on in Categories , , , , , , , last updated July 18, 2016

A serious vulnerability was discovered in how CGI scripts are used by Linux or Unix that use PHP, Go, Python, and other scripting languages. How do I fix Httpoxy a CGI application vulnerability on Linux or Unix for HAProxy, Varnish, Nginx, PHP, Go, Python, Tomcat and others?

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  1. RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  2. HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

http-proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header. This attack use HTTP_PROXY for Man-in-the-Middle” attack. The following web servers, web frameworks and programming languages are affected:

  • Go lang (CVE-2016-5386)
  • PHP lang (CVE-2016-5385)
  • HHVM (CVE-2016-1000109)
  • Python (CVE-2016-1000110)
  • Apache Tomcat (CVE-2016-5388)
  • Servers Apache (CVE-2016-5387)/Nginx/Varnish/Httpoxy.
  • Disro – RHEL and CentOS and others.

Patch your OS and Apps

First install all available updates for your operating system and application software such as Apache, PHP, Nginx and more:
$ sudo apt-get update && sudo apt-get upgrade
OR
$ sudo dnf update
OR
$ sudo yum update

Httpoxy mitigation for Nginx proxy server

Edit your nginx.conf or fastcgi_params file:
# vi /etc/nginx/ fastcgi_params
Add the following directives:

fastcgi_param  HTTP_PROXY  "";

When proxying HTTP requests to an upstream application, it’s wise to set any Proxy header to the empty string, in case the upstream application is running on a vulnerable platform (added in your nginx.conf’s when load balancing and proxying HTTP traffic):

proxy_set_header Proxy "";

Save and close the file. Reload/restart the nginx server:
# systemctl reload nginx

Httpoxy mitigation for Apache server

You can use mod_headers. Edit /etc/httpd/conf.d/site.conf or httpd.conf :
# vi /etc/httpd/conf.d/site.conf
Add the following directives:

RequestHeader unset Proxy

Save and close the file. Restart the apache server:
# systemctl restart httpd
http-request del-header Proxy

Httpoxy mitigation using HAProxy

Edit /etc/haproxy/haproxy.cfg and edit/append as follows to remove Proxy header:

http-request del-header Proxy

Restart the Httpoxy:
# systemctl restart haproxy

Httpoxy mitigation using Varnish

Edit the /etc/varnish/default.vcl and edit/append as follows to remove Proxy header (find and add in sub vcl_recv { … } section):

 unset req.http.proxy;

Save and close the file. Restart the varnish:
# systemctl restart varnish

Httpoxy mitigation for PHP/Go lang cgi apps

You need to configure your web application firewall (such as Nginx) to remove the Proxy header from incoming HTTP requests. See above for Nginx and Apache proxy specific info.

Fixing your php app by editing .php file

Edit your PHP file and make sure he following statement near the top, after <?php:

<?php
/* Warning: Not tested and may not be effective */
putenv("HTTP_PROXY="); $_SERVER[HTTP_PROXY] = "";
 
/* NOTE */
/* If you are running PHP under Apache/mod_php, also add after the above: */
apache_putenv('HTTP_PROXY', '');
 
/* rest of your php script */

Save and close the file.

Fixing your php app by editing go program file

Edit the following changes to your program as follows:

import "os"
os.Unsetenv("HTTP_PROXY")

Verification

To fix the issue, temporarily install the following as a CGI script on your server and make it executable (say at /var/www/html/cgi-bin/test.cgi):

#!/bin/sh
echo "Content-Type:text/plain"
​echo ""
echo "HTTP_PROXY='$HTTP_PROXY'"

Save and close the file. Make it executable:
chmod +x test.cgi
Call it as follows:
curl -H "Proxy: AFFECTED" http://your-server-ip-or-name/cgi-bin/test.cgi
If you see the following output, your server is unaffected:

 HTTP_PROXY="

If instead you see the following, or any other output, your server may be affected and you should apply one of the mitigations as discussed above:

 HTTP_PROXY='AFFECTED'
References

1 comment

Leave a Comment