ALERT: Mitigate ASAP for httpoxy vulnerabilities that affect CGI code

Monday, July 18, 2016

This information was sent to IT staff groups July 18, 2016. It is intended for U-M IT staff who are responsible for university web servers or web applications using PHP or CGI.

Summary: 

A set of vulnerabilities, called httpoxy, has been discovered that affects application code running in CGI (Common Gateway Interface) or CGI-like environments. If you are responsible for web servers that use PHP or CGI, block proxy request headers as soon as possible to mitigate the vulnerabilities.

Problem: 

httpoxy focuses on a namespace conflict that leads to a remotely exploitable vulnerability.

  • RFC 3875 (CGI) puts the HTTP proxy header from a request into the environment variables as HTTP_PROXY.
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.
Affected Systems: 

Web servers running  PHP or CGI. A few things are necessary to be vulnerable:

  • Code running under a CGI-like context, where HTTP_PROXY becomes a real or emulated environment variable.
  • An HTTP client (on the web server) that trusts HTTP_PROXY, and configures it as the proxy.
  • That client, used within a request handler, making an outbound HTTP (as opposed to HTTPS) request from the web server.

Affected languages confirmed thus far include PHP, Python, and Go.

Action Items: 

The best immediate mitigation is to block proxy request headers as early as possible, and before they hit your application, such as by filtering these request headers within Apache, NGINX, IIS, or other front-end software. See instructions for immediate mitigation.

After you have mitigated for httpoxy, evaluate options to further prevent exposure to it. See prevention instructions.

Threats: 

It is extremely easy to exploit httpoxy. If a vulnerable HTTP client makes an outgoing HTTP connection while running in a server-side CGI application, an attacker may be able to:

  • Proxy the outgoing HTTP requests made by the web application.
  • Direct the server to open outgoing connections to an address and port of their choosing.
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy.
Information for Users: 

httpoxy is a set of vulnerabilities that affect server-side web applications. If you’re not responsible for running web applications or web servers, you don’t need to worry. Those who use web browsers to access web applications do not need to do anything. Server administrators must perform the mitigation.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.