{"id":26272,"date":"2016-07-24T06:24:14","date_gmt":"2016-07-24T04:24:14","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=26272"},"modified":"2016-07-24T06:24:14","modified_gmt":"2016-07-24T04:24:14","slug":"httpoxy-a-cgi-application-vulnerability-for-php-go-python-and-others","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2016\/07\/24\/httpoxy-a-cgi-application-vulnerability-for-php-go-python-and-others\/","title":{"rendered":"httpoxy &#8211; a CGI application vulnerability for PHP, Go, Python and others"},"content":{"rendered":"<!-- google_ad_section_start -->\n<p><a href=\"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26273\" data-permalink=\"https:\/\/mamchenkov.net\/wordpress\/2016\/07\/24\/httpoxy-a-cgi-application-vulnerability-for-php-go-python-and-others\/httpoxy\/\" data-orig-file=\"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?fit=1141%2C296&amp;ssl=1\" data-orig-size=\"1141,296\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"httpoxy\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?fit=660%2C171&amp;ssl=1\" class=\"aligncenter size-medium wp-image-26273\" src=\"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy-500x130.png?resize=500%2C130&#038;ssl=1\" alt=\"httpoxy\" width=\"500\" height=\"130\" srcset=\"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?resize=500%2C130&amp;ssl=1 500w, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?resize=768%2C199&amp;ssl=1 768w, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?resize=1024%2C266&amp;ssl=1 1024w, https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/07\/httpoxy.png?w=1141&amp;ssl=1 1141w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/httpoxy.org\/\">httpoxy<\/a> is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments.<\/p>\n<blockquote><p>It comes down to a simple namespace conflict:<\/p>\n<ul>\n<li>RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY<\/li>\n<li>HTTP_PROXY is a popular environment variable used to configure an outgoing proxy<\/li>\n<\/ul>\n<p>This leads to a remotely exploitable vulnerability. If you\u2019re running PHP or CGI, you should block the Proxy header now.<\/p><\/blockquote>\n<!-- google_ad_section_end -->\n","protected":false},"excerpt":{"rendered":"<!-- google_ad_section_start -->\n<p>httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads &hellip; <a href=\"https:\/\/mamchenkov.net\/wordpress\/2016\/07\/24\/httpoxy-a-cgi-application-vulnerability-for-php-go-python-and-others\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">httpoxy &#8211; a CGI application vulnerability for PHP, Go, Python and others<\/span><\/a><\/p>\n<!-- google_ad_section_end -->\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"httpoxy - a CGI application vulnerability for PHP, Go, Python and others #security #WebDev #PHP #Python #Go","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[1,18,133,62,1334],"tags":[38,37,200,1330],"keyring_services":[],"class_list":["post-26272","post","type-post","status-publish","format-standard","hentry","category-general","category-programming","category-sysadmin","category-technology","category-web-work","tag-php","tag-python","tag-security","tag-web-development"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":8295,"url":"https:\/\/mamchenkov.net\/wordpress\/2004\/12\/05\/rfc-3875-the-common-gateway-interface-cgi-version-11\/","url_meta":{"origin":26272,"position":0},"title":"RFC 3875 &#8211; The Common Gateway Interface (CGI) Version 1.1","author":"Leonid Mamchenkov","date":"December 5, 2004","format":false,"excerpt":"It seems that until very recently (October 2004) there was no RFC covering CGI. Now there is - RFC 3875 - The Common Gateway Interface (CGI) Version 1.1. It explains how CGI scripts should be called and executed, what they should be given and what they should return. There is\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27681,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/06\/14\/async-php-requests-reactive-responses-with-php-fpm\/","url_meta":{"origin":26272,"position":1},"title":"Async PHP Requests &#038; Reactive Responses with PHP-FPM","author":"Leonid Mamchenkov","date":"June 14, 2017","format":false,"excerpt":"https:\/\/speakerdeck.com\/hollodotme\/async-php-requests-and-reactive-responses-with-php-fpm \"Async PHP Requests & Reactive Responses with PHP-FPM\" is talk by\u00a0Holger Woltersdorf, in which he shares the approaches he tried for implementing asynchronous requests in PHP, and how he arrived at\u00a0hollodotme\/fast-cgi-client, which is a\u00a0PHP fast CGI client for sending requests (a)synchronously to PHP-FPM.","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":24603,"url":"https:\/\/mamchenkov.net\/wordpress\/2015\/08\/19\/custom-single-sign-on-with-nginx-and-auth-request-module\/","url_meta":{"origin":26272,"position":2},"title":"Custom Single Sign-On with Nginx and Auth Request Module","author":"Leonid Mamchenkov","date":"August 19, 2015","format":false,"excerpt":"In a recent project I crashed into a wall. \u00a0At least for a couple of days that is. \u00a0The requirement was to integrate the Request Tracker (aka RT) installation on CentOS 7 server with Nginx to\u00a0a client's company single sign-on solution. \u00a0Which wasn't LDAP. \u00a0Or Active Directory. \u00a0Or anything standard\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27865,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/08\/21\/using-php-fpm-as-a-simple-built-in-async-queue\/","url_meta":{"origin":26272,"position":3},"title":"Using php-fpm as a simple built-in async queue","author":"Leonid Mamchenkov","date":"August 21, 2017","format":false,"excerpt":"Here's an interesting solution for a poor man's asynchronous queue using PHP-FPM: PHP-FPM already acts as a queue for Nginx\/Apache FastCGI clients. While your web-request is running you can just send another FastCGI request to the same PHP-FPM socket asynchronously and non-blocking. This request is immediately executed in another php-fpm\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26031,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/04\/18\/single-sign-on-between-sugarcrm-and-request-tracker\/","url_meta":{"origin":26272,"position":4},"title":"Single Sign-On Between SugarCRM and Request Tracker","author":"Leonid Mamchenkov","date":"April 18, 2016","format":false,"excerpt":"As mentioned\u00a0before,\u00a0over the last few month I've been involved in quite a few integration projects, using mostly SugarCRM and Request Tracker. \u00a0One of the interesting challenges was the Single Sign-On (SSO) between the two. The interesting bit comes from these facts: Different technologies: SugarCRM is written in PHP, while Request\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":27421,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/03\/17\/cakephp-3-remove-shell-welcome-header\/","url_meta":{"origin":26272,"position":5},"title":"CakePHP 3 : Remove Shell Welcome Header","author":"Leonid Mamchenkov","date":"March 17, 2017","format":false,"excerpt":"CakePHP 3\u00a0has an excellent support for command line Shells, Tasks, and Console Tools. \u00a0There are a few that are bundled with the framework itself, and that come from a variety of plugins. \u00a0And, of course, you can have your own commands, specific to your application. There is one tiny little\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/26272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=26272"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/26272\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=26272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=26272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=26272"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=26272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}