CGI application vulnerability httpoxy for PHP, Go, Python and others
Last updated on: September 6, 2020
A CGI application vulnerability called httpoxy was announced today with coordinated disclosure from many vendors. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.
For starters if the targeted web application makes an API request to other server for information on the user, an attacker can change the response by redirecting the request to his malicious API server. For example if a banking application makes a request to another server to find if the user has enough money, then the attacker can route this request to his compromised API server which will respond that there is enough money in the account. In another scenario an attacker can steal API credentials of the web application while it is trying to authenticate to another API server by redirecting the request to the attacker controlled API server.
Best advice is to patch as soon as possible as Red hat, CentOS, SuSE and other vendors have started releasing patches. But immediate mitigation before patching can be performed by blocking ‘Proxy’ request headers as early as possible before they hit your application. httproxy.org has this spelled out in detail for Apache, OpenBSD, Nginx/FastCGI and others.