HTTPoxy - Is my PHP application affected?
Environment
Red Hat Enterprise Linux 5.x
Red Hat Enterprise Linux 6.x
Red Hat Enterprise Linux 7.x
Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7
Issue
This issue applies when you’re using PHP in all typical modes of use - mod_php, CGI, or FastCGI.
PHP's getenv('HTTP_PROXY') and $_SERVER['HTTP_PROXY'] super global can provide the content of the HTTP request's Proxy header.
If your PHP script uses getenv('HTTP_PROXY') or $_SERVER['HTTP_PROXY'] to configure the outgoing proxy for subsequent HTTP requests, or if your script makes use of a module or library exposing this behavior, for example Guzzle, it's possible for all subsequent HTTP traffic stemming from within the PHP script to be redirected through an outside proxy of the attacker's control.
Note that PHP’s built-in curl extension providing bindings to the libcurl library is not itself vulnerable, the vulnerability is introduced by PHP libraries that use the above methods to determine proxy use.
Please note that this is only an issue if the affected PHP script is deployed on a HTTP server which provides the contents of the Proxy header of an incoming HTTP request to the PHP script.
Resolution
Red Hat has issued updates and mitigation guides for HTTP servers, which prevents them from providing the contents of the HTTP Proxy header to the PHP script. Updating your HTTP server or applying the mitigation will close this vector and prevent exploitation of this flaw.
To prevent the attacker-supplied header from being used, either of the following approaches can be used:
- Configure your web application firewall to remove the Proxy header from incoming HTTP requests
- Configure your HTTP server to remove the Proxy header before PHP scripts are invoked
- When using Apache httpd server, see HTTPoxy - Is my Apache mod_cgi affected? solution for instructions. Updated httpd versions also automatically exclude Proxy header from the set of headers made available to scripts.
- When using nginx server, see HTTPoxy - Is my nginx affected? solution for instructions.
Root Cause
See HTTPoxy - CGI "HTTP_PROXY" variable name clash for more information for more information.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments