On July 18, 2016, the vulnerability called HTTPoxy was disclosed. The bug allows an attacker to exploit HTTP request redirection. An attacker can pass the Proxy HTTP header with their request, and thus change the URL by which the application accesses backend services. In that way, a trespasser can steal credentials, change the responses the server sends to the application, gain access to confidential data, etc.
The source of the vulnerability is a name collision between the HTTP_PROXY environment variable, which determines a backend proxy server, and Proxy HTTP client header. According to CGI specification, client sends all headers with HTTP_ prefix, and this is the reason why that conflict appears. If the CGI application or library reads this variable without further handling, it can use the value provided by the client when attempting to connect to a proxy server.
HTTPoxy is a common CGI vulnerability which is present in almost every CGI application. Initial forms of HTTPoxy vulnerability were discovered back in 2001, but they have never been considered as a single widespread vulnerability. Fortunately, this bug is quite simple to fix or mitigate.
- Applications or libraries can ignore HTTP_PROXY variable while working in the CGI environment.
- Applications or libraries can use other environment variables to configure your proxy server.
- Web servers and proxy servers can unset Proxy client header.
Luckily, Proxy HTTP header is not a standard HTTP header, so you can configure your web server or load balancer to just ignore it in most cases. In fact, any common web server, proxy server or load balancer can drop Proxy client header easily.