Httpoxy vulnerability
Description
HTTPoxy is a vulnerability affecting applications running in CGI or CGI-like environments that stems from a namespace collision between HTTP headers and environment variables. When a client sends an HTTP request with a 'Proxy' header, RFC 3875 (CGI specification) requires the server to map this header to the HTTP_PROXY environment variable. Since HTTP_PROXY is commonly used by applications to configure outbound proxy settings, an attacker can inject a malicious proxy configuration by controlling the Proxy request header. This allows remote attackers to manipulate server-side HTTP requests without authentication.
Remediation
Implement the following mitigations to protect against HTTPoxy attacks:
1. Block the Proxy Header (Recommended)
Configure your web server to strip or reject the Proxy header before it reaches your application. This prevents the malicious header from being set in the environment.
For Apache, add to your configuration:
RequestHeader unset Proxy early
For Nginx, add to your server block:
fastcgi_param HTTP_PROXY "";
For HAProxy, add to your frontend or backend:
http-request del-header Proxy
2. Update Affected Software
Update CGI libraries, PHP, Python, Go HTTP clients, and other affected components to versions that include HTTPoxy fixes.
3. Use CGI_HTTP_PROXY Instead
If your application needs to support legitimate proxy configurations, use the CGI_HTTP_PROXY environment variable instead of HTTP_PROXY, as it cannot be set via HTTP headers.
4. Validate Environment Variables
In application code, explicitly validate or sanitize the HTTP_PROXY variable before use, or set it explicitly rather than relying on environment inheritance.