HTTPoxy - Is my Apache mod_cgi affected?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux 4.x
  • Red Hat Enterprise Linux 5.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 7.x
  • Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7
  • Red Hat JBoss Web Server 1.x
  • Red Hat JBoss Web Server 2.x
  • Red Hat JBoss Web Server 3.x
  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 6.x

Issue

  • This issue applies when you’re using Apache httpd's mod_cgi with PHP, Python, Go, and possibly other languages. If your CGI script opens a network connection to another service, any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.

Resolution

  • To address the issue, httpd was modified to not export the value of the Proxy HTTP header to the CGI script environment. Refer to the "Resolve" tab of the HTTPoxy - CGI "HTTP_PROXY" variable name clash vulnerability article for the list of httpd errata for various Red Hat products which incorporate the change.

  • Alternatively, this issue can be addressed via httpd configuration, using the mod_headers extension module with the following configuration:

    RequestHeader unset Proxy early
    

    This setting causes httpd to unset Proxy header from the incoming HTTP request before initializing the CGI environment. See Apache - Mod Headers for more information about the RequestHeader configuration directive.

Root Cause

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

error pasted by me in search is not even remotely related to http proxy