HTTPoxy - Is my Apache mod_fcgid affected?

Solution In Progress - Updated -


Red Hat Enterprise Linux 7.x


This issue applies when you’re using mod_fcgid with PHP, Python, Go, and possibly other languages. If your FastCGI script opens a HTTP connection to another service, any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy.


To address this issue, install the updated version of httpd, or use the mod_headers extension module to remove the Proxy header form incoming HTTP requests. See HTTPoxy - Is my Apache mod_cgi affected? solution for further details.

Note that when the FcgidPassHeader Proxy configuration directive is used in the mod_fcgid configuration, the HTTP_PROXY variable with the value from the Proxy request header will still be made available to FastCGI scripts even when updated httpd packages are installed. Therefore, ensure that the aforementioned configuration directive is not used in the mod_fcgid configuration to fully resolve the issue.

Root Cause

See HTTPoxy - CGI "HTTP_PROXY" variable name clash for more information for more information.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.