back to article 15-year-old security hole HTTPoxy returns to menace websites – it has a name, logo too

A dangerous easy-to-exploit vulnerability discovered 15 years ago has reared its head again, leaving server-side website software potentially open to hijackers. The Apache Software Foundation, Red Hat, Ngnix and others have rushed to warn programmers of the so-called httpoxy flaw, specifically: CVE-2016-5385 in PHP; CVE-2016- …

  1. edge_e
    WTF?

    From the linked article

    "The Proxy header is undefined by the IETF, and isn’t listed on the IANA’s registry of message headers. This means there is no standard use for the header at all; not even a provisional use-case.

    Standards-compliant HTTP clients and servers will never read or send this header."

    So why isn't it blocked in the default configuration ?

    1. kurtseifried

      Re: From the linked article

      The problem is not the header, you should be able to pass any headers around that you want (often people create and use headers for internal identification of requests, or have remote JavaScript clients using special headers). The problem is that due to popular convention many web servers simply prefix HTTP_ to the headers when turning them into environmental variables, and thus the name space conflict.

      The good news is that Apache and others are preventing the Proxy header specifically from being turned into an environmental variable, but we can't just automatically drop it because that is unexpected and somewhat rude. Server operators are of course free to simply block or drop the header as they see fit.

      1. Nick Kew Silver badge
        Boffin

        Re: From the linked article

        Standards-compliant HTTP clients and servers will never read or send this header

        Not quite correct. HTTP allows agents to define custom headers, so "Proxy" is allowed as such. To the bog-standard server, such as Apache or nginx out-of-the-box, it's as meaningful as "Vhjsrmwb" or "jasswe33d". And equally harmless.

        The problem is that due to popular convention many web servers simply prefix HTTP_

        That's not popular convention, it's the original CGI standard - which is inherited by all the CGI-imitators like PHP. A way to make headers available to applications that might be interested. All HTTP end-to-end or undefined headers except a few enumerated ones SHOULD be treated this way, but MAY be suppressed if they give rise to security issues.

        The trouble arises where languages and libraries use HTTP_PROXY to mean something they shouldn't be taking from untrusted input. I haven't tested it, but I should imagine Perl used with taint-checking (as it always should be on the web) is safe. On the other hand, PHP is always vulnerable to everything, and more generally YMMV. Hence the web servers taking it on themselves to block an incoming Proxy header from propagating to the CGI environment.

        The good news is that Apache and others are preventing the Proxy header specifically from being turned into an environmental variable, but we can't just automatically drop it because that is unexpected and somewhat rude.

        Actually we can just drop it. If the backend application has a legitimate use for an HTTP_PROXY environment variable, it can be set in the server configuration, for example with Apache's SetEnv directive. But not from an untrusted source.

    2. Nick Kew Silver badge

      Re: From the linked article

      OK, that is a direct quote, and it's not even something that's completely different taken in context.

      Does anyone have contact details for that httpoxy page? It really needs correcting. It's true that a Proxy: header plays no role in implementing HTTP, but it's absolutely wrong to suggest that a standards-compliant agent will never use it.

  2. Notas Badoff Silver badge
    Flame

    Perl? Perl!

    So this is at least the second vulnerability in the last year or so, spread across multiple libraries, that could have been avoided if there was such as a thing as "institutional memory". But no, Perl is sooo passé, we don't need to remember what the Internet's first language experienced when exposed to the real world and malefactors. All those fixes ignored...

    Santayana: "... and when experience is not retained, as among savages, infancy is perpetual. ..."

    1. kurtseifried

      Re: Perl? Perl!

      So part of the problem is that there are about 10,000 major Open Source projects (purely guessing, but Red Hat ships roughly that # of packages now) with tens to tens of thousand of commits per year. Sorting out the wheat from the chaff is tough. One approach to this is to very identify security related commits and get them labeled with CVE identifiers if they are indeed a vulnerability (as this one would have been), once things have CVE's (and are listed in the CVE databases) they become much more findable/useful (drinking from a garden hose instead of a fire hose).

      To this end CVE is moving to a federated model, currently the DWF (https://distributedweaknessfiling.org/) is the root for all Open Source. So if you see something, report something! If it's public and not needing an embargo then please email the oss-security@lists.openwall.com list (you do not need to be subscribed to post). If it is private or maybe needs sensitive handling please notify us (Red Hat) at secalert@redhat.com or CER T (https://vulcoord.cert.org/VulReport/). For closed source CERT is also a good bet.

      1. alexpott

        Re: Perl? Perl!

        Hi kurtseifried (RedHat),

        Unfortunately the advice (https://access.redhat.com/solutions/2442861) you are giving you customers using PHP is not correct. There are no userland fixes possible - see https://twitter.com/alexpott/status/755111891144478720

    2. Anonymous Coward
      Anonymous Coward

      Re: Perl? Perl!

      I vaguely remember perl... Wasn't it some sort of batch interpreter a bit like command.com?

    3. breakfast

      Re: Perl? Perl!

      Those who do not learn from history are doomed to repeat it, but if those who do learn from it have to do so by reading a whole lot of Perl then they might as well go ahead and repeat it anyways - nobody will be able to figure out what it is doing or how it is doing it, let alone why.

      1. Daggerchild Silver badge

        Re: Perl? Perl!

        It's funnier than that - the children of the parents who fixed the bug, reintroduced it again!

        I didn't think anything used 'HTTP_PROXY' - I thought everything knew it was 'http_proxy', for this exact reason. Which clever bunny decided case sensitivity/everyone else was wrong?

  3. Anonymous Coward
    Anonymous Coward

    Letting your webserver connect back out to the Internet. ..

    Madness. You deserve to get hacked.

    1. Olius

      Re: Letting your webserver connect back out to the Internet. ..

      Yes, all those shopping sites, connecting to their payment gateways to process card transactions - utter madness... /sark

      1. hmv

        Re: Letting your webserver connect back out to the Internet. ..

        Or connecting to just the payment gateways.

  4. Anonymous Coward
    Happy

    Two Naked Women Wrestling In Oil

    Is what I'll call the next (and indeed first) global internet vulnerability I discover. I've got the logo all sorted out in my head, actually it's more like an animated gif, and it's looking pretty good. I just need to find the vulnerability itself, and a girlfriend. It'll probably be in Windows or something. (Not the girlfriend).

    1. Anonymous Coward
      Anonymous Coward

      Re: Two Naked Women Wrestling In Oil

      You know that Windows ... That's your girlfriend that is.

      1. Anonymous Coward
        Happy

        Re: Two Naked Women Wrestling In Oil

        You know that Windows ... That's your girlfriend that is.

        Nice one! Except that no woman has ever forced herself into my home, uninvited, and refused to leave.

  5. lansalot

    I see SNORT signatures, but has anyone come up with an easy way to scan/test for this? (SNORT being reactive of course, I'd rather know in advance..)

    nmap, nessus, some funky python script etc?

    1. Brewster's Angle Grinder Silver badge

      <speculation>Probably not.</speculation>

      You've got to send a request that triggers an outgoing connection from the server. It's hard to know how to do that.

  6. Anonymous Coward
    Anonymous Coward

    do not allow your webserver to make connection into the wild, set up network access rules

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019