edit-icon download-icon

[Vulnerability notice] HTTP Proxy environment variable hijacking vulnerability in CGI applications

Last Updated: May 07, 2018

Description

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments.

  • When a service is running in CGI and its request header contains “PROXY Header”, the CGI program writes the content of the “PROXY Header” into the currently running environment variable HTTP_PROXY.
  • If the program needs to send HTTP communications to the outside during processing, the request is forwarded to the server specified by the “PROXY Header” mentioned earlier.

Attackers may build their own proxy servers and intercept the data sent by the CGI program to the external party through contaminating the “PROXY Header” to steal sensitive information. In addition, attackers may maliciously construct and return data to the CGI program to deceive the program.

Affected versions

All CGI programs that are coded to communicate with the outside

Fix

  • Use Alibaba Cloud Security Web Application Firewall to intercept the attacking code of this vulnerability.

  • Disable the Proxy headers in all requests.

  • See the fixes offered by the vulnerability author.

Thank you! We've received your feedback.