HTTPoxy - Is my Go application affected?

Solution In Progress - Updated -

Environment

Red Hat Enterprise Linux 7.x

Issue

This issue applies when using Go in CGI mode. In case a Go CGI script uses the "HTTP_PROXY" environment variable to configure an outgoing HTTP proxy for subsequent HTTP requests, or if your script makes use of a module or library exposing this behavior, for example Go's "http" module, it's possible for all subsequent HTTP traffic stemming from within the Go CGI script to be redirected through an outside proxy of the attacker's control.

Please note that this is only an issue when the affected Go CGI script is deployed on a CGI-enabled HTTP server which provides the contents of the "Proxy" header of an incoming HTTP request via the "HTTP_PROXY" environment variable.

Resolution

Red Hat has issued updates and mitigation guides for HTTP servers, which prevents them from providing the contents of the HTTP "Proxy" header as the "HTTP_PROXY" environment variable. Updating your HTTP server or applying the mitigation will close this vector and prevent exploitation of this flaw.

To prevent the attacker-supplied header from being used, either of the following approaches can be used:

  • Configure your Web Application Firewall to remove the "Proxy:" header
  • Change your HTTP server configuration to remove the "Proxy:" header before Go scripts are invoked (see other knowledgebase articles linked form the main HTTPoxy article linked below).
  • Make the following changes to your program:
    Add “os” to the imports if not already present:
    import “os”

Add near the top of your “main” function:

    os.Unsetenv(“HTTP_PROXY”)

Root Cause

See HTTPoxy - CGI "HTTP_PROXY" variable name clash for more information.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments