A CGI application vulnerability called httpoxy was announced in July with coordinated disclosure from many vendors. httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences. This can lead to a remotely exploitable vulnerability.This vulnerability mainly affects applications that use “classic” CGI execution models. For PHP (both CGI and mod_php versions) whether you are vulnerable depends on your specific application code and PHP libraries. If your run Python or Go under CGI, they can also be vulnerable. httpoxy has a number of CVEs assigned to it.
This issue is not new, but has just became to limelight again. HTTPOXY affects clients that honor the HTTP_PROXY variable and use it for their proxy configuration and server side applications which use HTTP_PROXY as real or emulated variable in their environment. This bug was first discovered over 15 years ago – but still in July 2016 researchers found that the vulnerability was still exploitable in PHP. So, the bug was lying dormant for years, like a latent infection: pox. To put it plainly: there is no way to trust the value of an
HTTP_ env var in a CGI environment and you should block the Proxy header.
Best advice is to patch as soon as possible. Immediate mitigation before patching can be performed by blocking ‘Proxy’ request headers as early as possible - httproxy.org has released details for many enviroments (Apache, OpenBSD, Nginx/FastCGI and others). If you’re running PHP or CGI, you should block the
Proxy header now. Blocking can be done in web server, web load balancer, web proxy or cloud proxy service.
The vulnerability is easily remotely exploitable and servers can be scanned for it, for details on that read HTTPOXY Vulnerability: How to protect and test your web server article that recommends https://httpoxy.rehmann.co/ service for testing your own servers.