Description

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you're running PHP or CGI, you should block the Proxy header.

Remediation

The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.

References

httpoxy - A CGI application vulnerability

Related Vulnerabilities

Atlassian JIRA Servicedesk misconfiguration

Laravel Terminal open

Oracle E-Business Suite iStore open user registration

Spring Misconfiguration: HTML Escaping disabled

Apache Server-Info Detected

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Acumonitor