HTTPoxy - Is my Apache mod_cgi affected?
Environment
- Red Hat Enterprise Linux 4.x
- Red Hat Enterprise Linux 5.x
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 7.x
- Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7
- Red Hat JBoss Web Server 1.x
- Red Hat JBoss Web Server 2.x
- Red Hat JBoss Web Server 3.x
- Red Hat JBoss Enterprise Application Platform 5.x
- Red Hat JBoss Enterprise Application Platform 6.x
Issue
- This issue applies when you’re using Apache httpd's mod_cgi with PHP, Python, Go, and possibly other languages. If your CGI script opens a network connection to another service, any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Resolution
-
To address the issue, httpd was modified to not export the value of the Proxy HTTP header to the CGI script environment. Refer to the "Resolve" tab of the HTTPoxy - CGI "HTTP_PROXY" variable name clash vulnerability article for the list of httpd errata for various Red Hat products which incorporate the change.
-
Alternatively, this issue can be addressed via httpd configuration, using the
mod_headersextension module with the following configuration:RequestHeader unset Proxy earlyThis setting causes httpd to unset Proxy header from the incoming HTTP request before initializing the CGI environment. See Apache - Mod Headers for more information about the
RequestHeaderconfiguration directive.
Root Cause
- See HTTPoxy - CGI "HTTP_PROXY" variable name clash for more information.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments