Skip to content

Leonid Mamchenkov

Life, universe, and everything else

Home
Archives
About
Contact me

Email
Skype
LinkedIn
GitHub
Facebook
Twitter
Instagram
Flickr
YouTube
SlideShare
RSS Feed

Search for:

On this day...

2018: Yup
2017: Fedora 26 Update
2017: Fire and Motion
2016: How to Recover an Unreachable EC2 Linux Instance
2016: Git from the inside out
2016: SSH multiplexing and Ansible via bastion host
2016: Packer – a tool for creating VM and container images
2016: WordPress Plugins : Demo Data Creator
2015: 22 Things You Probably Didn’t Know About Beer
2014: Validating website HTML, CSS, and links from the command line
2014: Daily dose of Instagram
2012: An extremely wise manager once told me, people do …
2012: Letter from a Birmingham Jail
2012: Nobody ever changed anything by remaining quiet, i…
2012: Hans Rosling on global population growth
2011: Day in brief – 2011-07-24
2010: Jon Lajoie : Pop Song
2010: Day in brief
2010: Tenacious D – Kickapoo
2008: Wanted

httpoxy – a CGI application vulnerability for PHP, Go, Python and others

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments.

It comes down to a simple namespace conflict:

RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY

HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.

Share:

Click to share on Twitter (Opens in new window)
Click to share on Facebook (Opens in new window)
Click to share on LinkedIn (Opens in new window)
Click to share on Pinterest (Opens in new window)
Click to share on Pocket (Opens in new window)
Click to share on Reddit (Opens in new window)
Click to email a link to a friend (Opens in new window)
More

Click to share on WhatsApp (Opens in new window)
Click to share on Telegram (Opens in new window)
Click to share on Tumblr (Opens in new window)
Click to print (Opens in new window)

Related

Posted on July 24, 2016Author Leonid MamchenkovCategories All, Programming, Sysadmin, Technology, Web workTags PHP, Python, security, web development

One thought on “httpoxy – a CGI application vulnerability for PHP, Go, Python and others”

Al Bo says:

July 24, 2016 at 10:50 am

Too many vulnerabilities. Must be a conspiracy theory behind it :-)

Reply

Leave a CommentCancel reply

Post navigation

Previous Previous post: The RegEx that killed StackOverflow

Next Next post: WordPress Plugins : Demo Data Creator

Proudly powered by WordPress

This website uses cookies. Purely for technical reasons. Accept Reject Read more

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT

Go to mobile version

Loading Comments...

Write a Comment...

Email (Required)

Name (Required)

Website