HTTPoxy. (CERT VU#797896)

Sean_H · May 7, 2020, 8:05pm

Par for the course in the IT world, yet another vulnerability arises - [SIZE=14px]HTTPoxy. ([/SIZE][SIZE=14px]CERT VU#797896)[/SIZE]

This issue concerns the HTTP_PROXY header and can affect environments running PHP and CGI. It may result in a remotely exploitable vulnerability.
Please look at the link

https://httpoxy.org

Pay close attention to the section in the first document titled “Ineffective fixes in PHP” and the section(s) relevant to your HTTP server environment.

The official advisory from ASF is here

https://www.apache.org/security/asf-httpoxy-response.txt

Code efficiently, code securely.

Sean H. - CISA, CISM

MikeDE · May 7, 2020, 8:58pm

hello

can anybody translate this and explain the impact?

rr1 · May 7, 2020, 8:59pm

In simple terms: If you have your website behind a proxy and you are running apache you may be vulnerable. If you dont have that in your headers then there is no problem.
Use httpfox in firefox to check if you want to be sure (or a http sniffer like httpwatch) for seeing if it is the case with your websites… If so then follow the official advisory…

MikeDE · May 7, 2020, 8:59pm

thanks rr, is that including if i have http server inside an organization that uses proxy for intranet?

rr1 · May 7, 2020, 8:59pm

Yes that is an example where this can go seriously wrong. Hence the advisory…