HTTPoxy Patch and Mitigation Links

By | July 20, 2016

HTTPoxy Patch and Mitigation Links

HTTPoxy Status

HTTPoxy is a CGI bug that relates to how webservers and applications deal with certain environment variables. It’s the latest and greates BWAIN (Bug with an Interesting Name). There are two independent way to protect yourself from this bug and the manner that is best for you or your organization will depend on how you’ve implemented your systems. At it’s core is a difference between what the CGI Spec (RFC 3875) says should happen and what is expected by application developers.

What’s Affected

There are 6 basic main categories of products that are currently affected by HTTPoxy:

Additionally there’s a numbe of other projects based off stuff like this that’s vulnerable to HTTPoxy. Please don’t view this as a comphrehensive list:

Mitigation

The fastest way to “fix” your infrastructure is to mitigate the problem. The fastest way to “fix” this (generally) is to apply one of the mitigations available. The HTTPoxy site has a list of mitigations that are available:

Project Mitigation Available
NGINX + FastCGI
Apache
HAProxy
Varnish
relayd
lighttpd
lighttpd2
MS IIS + PHP

Patching

Additionally there’s a number of patches being worked on that should remove the potential for this vulnerability. A hat tip should go to the libwww-perl, curl and Ruby projects for patching and noticing this conflict before it became an issue. Because of the number of things that could be patched I’m limiting the amount of systems I’m checking to just the main 5 (Last Update 1469118992):

Distro PHP Status Go Status Apache HTTP Status Apache Tomcat HHVM Status Python Status
Red Hat In Progress In Progess Mostly Patched In Progress N/A In Progress
Canonical In Progress In Progress Patched In Progress Unknown Unknown
Debian In Progress In Progress Patched Partially Patched Reserved Reserved
Suse Patched Unknown Patched Unknown Unknown Unknown
FreeBSD1 No Patch Mostly Patched Patched No Patch Not Supported No Patch

Other Readings

Technical Articles and References

Here is a list of information posts with good technical details that you’ll find useful in your own research.

  1. HTTPoxy. “A CGI application vulnerability
    for PHP, Go, Python and others
    “. httpoxy. July 19th 2016.
  2. CERT. “Vulnerability Note VU#797896“. Vulnerability Notes Database. July 18th 2016.
  3. Ellingwood, Justin. “How to Protect Your Server Against the HTTPoxy Vulnerability“. DigitalOcean Community. July 18th 2016.
  4. Scheirlinck, Dominic. “How ‘The Internet’s Biggest Blind Spot’ lead to a 15 year old security vulnerability“. We Build Vend. July 18th 2016.
  5. Scheirlinck, Dominic. “What is httpoxy? An explanation for non-technical audiences.”We Build Vend. July 18th 2016.
  6. Brehm, Till. “HTTPOXY Vulnerability: How to protect and test your web server“. Howto Fore. July 20th 2016.

News Articles

Here are some various news articles I’ve found on HTTPoxy that seem to have some good information about this issue.

  1. Ducklin, Paul. “HTTPoxy – the disease that could make your web server spring a leak“. naked security. July 19th 2016.
  2. Pauli, Darren. “15-year-old security hole HTTPoxy returns to menace websites – it has a name, logo too“. The Register. July 18th 2016.
  3. Zorz, Zeljka. “Widespread httpoxy vulnerabilities affect server-side web apps“. Help Net Security. July 19th 2016.
  4. Osborne, Charlie. “15-year-old httpoxy flaw causes developer patch scramble“. ZDNet. July 19th 2016.
  5. Cancellari, Nic. “httpoxy – the lurking bug with HTTP_PROXY that escaped patching widely for 15 years“. peerlyst. July 20th 2016.

Vendor Responses

I’ve compiled some vendor responses to this issue. If you have one let me know and I’ll update. It should be noted that I work for VDMS so I tossed it at the top of the list.

  1. VDMS
  2. Red Hat
  3. NGINX
  4. Apache
  5. CloudFare
  6. Akamai
  7. Fastly
  8. Microsoft
  9. Resellers Panel
  10. SiteGround

Appendix

  1. FreeBSD’s VuXML page for this issue seems to have been taken down. Per their commit:

    Remove HTTPoxy entry in vuxml until a we know if upstream vendors will patch this so things aren’t marked vulnerable forever.

One thought on “HTTPoxy Patch and Mitigation Links

Leave a Reply

Your email address will not be published. Required fields are marked *