HTTPoxy - Is my nginx affected?

Solution In Progress - Updated -

Environment

Red Hat Software Collections for Red Hat Enterprise Linux 6 and 7

Issue

This issue applies when you're using CGI with PHP, Python or Go. Nginx does not support CGI in its default configuration, however many users apply a solution such as simplecgi or fcgiwrap to provide this functionality via the inbuilt FastCGI support.

If your CGI script opens a HTTP connection to another service any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy.

Resolution

To prevent this issue in Nginx configuration, add the following line to your fastcgi configuration (normally in /etc/nginx/fastcgi_params):

    fastcgi_param  HTTP_PROXY  "";

See NGinx - Fast CGI Module for more information on the fastcgi_param configuration directive.

Root Cause

See HTTPoxy - CGI "HTTP_PROXY" variable name clash for more information.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments