Jump to content

HTTPOXY Vulnerability

Recommended Posts

From Reddit:


I'm the person who wrote up httpoxy. Here's the summary I was going to post here, roughly:

A few weeks ago, my team (re)discovered a security vulnerability in CGI and PHP applications that make outgoing HTTP requests. The vulnerability allows a remote attacker to control where requests are sent. The problem boils down to two things:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy (and is trusted, e.g. in PHP's Guzzle 4+, or Go's net/http, or Python's requests)

We've prepared a public disclosure site at https://httpoxy.org that explains the issue in detail, and provides fast and easy methods of mitigating the danger (basically: block the Proxy header upstream of your application). (The embargo has just ended, but the language SRTs have been aware for weeks.)

The language and CGI implementation teams will have patched versions available soon, but we recommend you just block the Proxy header immediately; it's undefined by IETF and not assigned on the IANA registry of message headers - nobody is using it, except attackers, soon.

If you'd like to read detailed mitigation information for Apache (including Apache Tomcat CGI), I recommend the ASF's official advisory at: https://www.apache.org/security/asf-httpoxy-response.txt (but remember, Nginx FastCGI plus PHP-FPM is affected too - it's not an Apache-specific issue.)



What can happen if my web application is vulnerable?

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.


This is very easily to exploit, so i recommend everyone to mitigate it.


Add this to the fastcgi parameters:

fastcgi_param HTTP_PROXY "";


Add this to the htaccess:

<IfModule mod_headers.c>
   RequestHeader unset Proxy

If you want to check if your site is vulnerably:

Create a php file with the name httpoxy.php with this and put it on your public html:

if (isset($_SERVER['HTTP_PROXY']) && $_SERVER['HTTP_PROXY'] == 'vulnerable') {
  echo 'Vulnerable!';

Now run this on your server:

curl --header "Proxy: vulnerable" http://example.com/httpoxy.php

If you don't receive anything, your are good. If you receive "Vulnerable!", you are not good.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...