Widespread httpoxy vulnerabilities affect server-side web apps

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

A new, branded set of vulnerabilities has been revealed by security researchers, this time responsibly and without too much fanfare.

httpoxy

The collective name given to the vulnerabilities is httpoxy. They affect server-side web applications only – application code running in Common Gateway Interface (CGI), or CGI-like environments.

“If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to proxy the outgoing HTTP requests made by the web application, direct the server to open outgoing connections to an address and port of their choosing, tie up server resources by forcing the vulnerable software to use a malicious proxy,” the researchers explained the exploitation potential of the vulnerabilities.

Curiously enough, the httpoxy bug was first discovered (and fixed) 15 years ago in the libwww-perl and curl libraries.

In the last few years it was also noticed by some other developers but, in general, knowledge about it had not reached the wider developer community, likely because, as the httpoxy disclosure research team put it, “their finding wasn’t loudly and urgently transmitted to everyone else using CGI.”

“Httpoxy has existed (and been known about) for a long time, yet new occurrences of the vulnerability were still being introduced as late as 2016. Indeed, we found a large number of feature requests for HTTP clients to add the ability to read HTTP_PROXY in Github issues,” they pointed out.

While the vulnerability is easy to exploit, it’s also easy to mitigate – the team has detailed mitigation instructions for a variety of web servers and software, as well as pointed out ineffective fixes.

Before coming out publicly with information about httpoxy, the team has responsibly disclosed the existence of the flaw to many affected parties (Apache, Microsoft, Ngnix, etc.) so that mitigations can be offered in time for public disclosure.

The official site set up for the disclosure offers much detailed information and helpful links.