This article illustrates how to protect your SSFE server from the HTTPoxy Vulnerability.
A serious vulnerability regarding how CGI scripts are used by Linux or Unix that use PHP, Go, Python, and other scripting languages has been discovered, so you want to know how to fix Httpoxy, a CGI application vulnerability on Linux or Unix for HAProxy, Varnish, Nginx, PHP, Go, Python, Tomcat, and others.
Httpoxy is a set of vulnerabilities that affect an application code running in CGI or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY.
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.
This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header. This attack uses HTTP_PROXY for Man-in-the-Middle attacks. The following web servers, web frameworks, and programming languages are affected: Servers Apache (CVE-2016-5387)/Nginx/Varnish/Httpoxy.
To remove the HTTP Proxy Header with Apache:
- Add "RequestHeader unset Proxy early" to /etc/apache2/apache2.conf:
sudo sed -i '$ a\\nRequestHeader unset Proxy early' /etc/apache2/apache2.conf
- Restart the service if no syntax errors are reported:
sudo service apache2 restart
To remove the HTTP Proxy Header with Nginx:
- Add "fastcgi_param HTTP_PROXY "";" to /etc/nginx/fastcgi_params:
sudo sed -i '/SERVER_NAME/ a\\nfastcgi_param HTTP_PROXY \"\";' /etc/nginx/fastcgi_params
- Add "proxy_set_header Proxy" to /etc/nginx/nginx.conf:
sudo sed -i '/types_hash_max_size/ a\ proxy_set_header Proxy \"\";' /etc/nginx/nginx.conf
- Restart the service:
sudo service nginx restart
Download and run the following script to finish the steps automatically:
mitigation-httpoxy.sh
#! /bin/bash
# This mitigation has been assigned the identifier CVE-2016-5387
# Please refer to:
# https://httpoxy.org/#fix-now
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
if [ $(whoami) != "root" ]; then
echo "You must be root to run this script."
exit 1
fi
#Removing the HTTP Proxy Header with nginx
echo "Removing the HTTP Proxy Header with Nginx..."
sed -i '/SERVER_NAME/ a\\nfastcgi_param HTTP_PROXY \"\";' /etc/nginx/fastcgi_params
sed -i '/types_hash_max_size/ a\ proxy_set_header Proxy \"\";' /etc/nginx/nginx.conf
service nginx restart
#Removing the HTTP Proxy Header with Apache
echo "Removing the HTTP Proxy Header with Apache..."
sed -i '$ a\\nRequestHeader unset Proxy early' /etc/apache2/apache2.conf
service apache2 restart