Software Integrity Blog


Blast from the past: 15-year-old security hole hits websites

A flaw in Httpoxy, first disclosed 15-years ago, has resurfaced and potentially leaves server-side website software open to hijackers.

In response, The Apache Software Foundation, Red Hat, Ngnix and others have rushed to patched the httpoxy flaw, officially known as: CVE-2016-5385 in PHP; CVE-2016-5386 in Go; CVE-2016-5387 in Apache HTTP server; CVE-2016-5388 in Apache TomCat; CVE-2016-1000109 in PHP-engine HHVM; and CVE-2016-1000110 in Python.

According to the Register, “you abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application’s server. The app then, due to a naming conflict, uses the proxy server defined by that variable for any of its outgoing HTTP connections. So, if you point HTTP_PROXY at a malicious server, you can intercept the web app’s connections to other systems and, depending on how the code is designed, potentially gain remote code execution. It hinges on whether or not the app makes outgoing connections as part of its operation, and if these can be usefully exploited.”

“If you’re running PHP or CGI, you should block the Proxy header now,” Vend infrastructure engineer Dominic Scheirlinck, who coordinated the disclosure of the security holes with software makers, told the Register.

“httpoxy is extremely easy to exploit in basic form, and we expect security researchers to be able to scan for it quickly. If you’re not deploying code, you don’t need to worry,” added Scheirlinck.

Individual advisories can be found here: Apache, Red Hat, US CERT, Nginx, and Drupal with more details. And there’s a non-technical guide here.


More by this author