Subject: CVE-2016-5385 HTTPoxy Vulnerability
Tech Stack:
Date Issued:
- Original Date: 2016-07-18
- Last Modified Date: 2016-07-20
Criticality:
- Severity: High
- Description: This vulnerability allows remote attackers to proxy HTTP requests to arbitrary domains, leading to information disclosure or remote code execution.
Overview:
- CVE-2016-5385, also known as the HTTPoxy vulnerability, affects web applications using the CGI or CGI-like environments. The vulnerability exploits the HTTP_PROXY environment variable, which can be manipulated by an attacker to route requests through a malicious server.
Attack Mechanisms:
- Attacker sends a crafted HTTP request with a Proxy header.
- The web server sets the HTTP_PROXY environment variable based on this header.
- The CGI application makes an HTTP request that gets proxied through the attacker’s server.
Affected Systems:
- Web servers running CGI-based applications, including PHP, Python, and Ruby.
Mitigation Solution:
- Upgrade: Apply patches provided by your web server and framework vendors.
- Configuration: Set a policy to ignore the
HTTP_PROXY variable. For example, in Apache, you can unset the environment variable using:
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
- Environment Variables: Secure environment variables and avoid relying on user-controlled input for configuration.
References: