A pox on your servers: dormant vulnerability patched after 15 years
Httpoxy: serious flaw that can be mitigated easily
Flaws in the HTTP Proxy header used in PHP, Go and Python have been fixed after laying dormant for 15 years.
Dubbed Httpoxy, the flaw was discovered in March 2001. While it was fixed in open source programming language Perl, it was still present in a number of other languages and applications.
The vulnerability is due to a misconfiguration in the HTTP_PROXY variable that is frequently used by Common Gateway Interface (CGI) environment scripts.
“If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to: proxy the outgoing HTTP requests made by the web application; direct the server to open outgoing connections to an address and port of their choosing; and tie up server resources by forcing the vulnerable software to use a malicious proxy,” said the researchers.
The researcher warned that Httpoxy is “extremely easy to exploit in basic form”.
In an advisory notice from Red Hat, it said that applications, language libraries and scripting modules use this environment variable to configure their proxy for subsequent outgoing HTTP traffic.
It said the problem was down to a CGI script that cannot distinguish between CGI's "Protocol-Specific Meta-Variable", containing the value of the HTTP request's "Proxy" header, and the "system" environment variable HTTP_PROXY, containing HTTP proxy settings.
“A CGI script, module, or library reads the ‘HTTP_PROXY' environment variable, and assumes that this contains the ‘system' HTTP proxy settings. The misinterpreted value then changes how new HTTP requests are dealt with by the CGI script (and any other scripts and programs it may call) made during the processing of the current HTTP request,” according to the advisory.
In other words, the flaw could lead to data leaking from websites on a massive scale as scripts processing data by internal servers may then send this data off to external servers operated by hackers.
Red Hat said customers using CGI scripts with PHP, Go or Python are strongly recommended to apply mitigations to their systems.
Chris Fearon, director of security research at Black Duck Software, told SCMagazineUK.com that it is extremely likely that we will see attacks on infrastructure using this flaw.
“This flaw is trivial to exploit (simply supply a HTTP header value) and is easy to find and identify within existing open-source software packages.”
He added that mitigation is simple and can be implemented in a short timeframe. “Simply block or remove the ‘Proxy' request headers as early as possible, preferably on the application firewall or directly on the webserver.”
Fearon added that sites using HTTPS are not vulnerable. “Yet another reason why all sites should implement HTTPS.”
Craig Parkin, associate partner at Citihub Consulting, told SC that untrustworthy inbound headers can be dropped in a number of ways by most firms. “Headers can be dropped by web application firewalls, load balancer or by the web servers themselves,” he said.
Parkin added that Apache is already including a patch in its latest versions and “offers a source code patch to those who want to recompile earlier versions themselves”.