Indusface Total Application Security – Customer Advisory on HTTPoxy Vulnerability (CRITICAL)

What is HTTPoxy Vulnerability?

This is an old scripting vulnerability that affects a large number of Linux distributions and programing languages. It allows man-in-the-middle attacks that could compromise web servers. Revealed yesterday, it affects mostly PHP and CGI web apps.

CVE Details

• CVE-2016-5385 in PHP 

• CVE-2016-5386 in Go

• CVE-2016-5387 in Apache HTTP server

• CVE-2016-5388 in Apache TomCat

• CVE-2016-1000109 in PHP-engine HHVM

• CVE-2016-1000110 in Python.

What are the risks?

As a set of vulnerabilities, it can be exploited by a simple namespace conflict tied to HTTP proxy headers that unsafely trust the “HTTP_PROXY” environment variable when generating forward requests. This namespace conflict allows an attacker to remotely configure the HTTP_PROXY environment variable on a web server by submitting a malicious Proxy: HTTP header. An attacker could launch a man-in-the-middle attack and redirect traffic to an arbitrary host. An adversary might also be able to intercept traffic and decipher sensitive communications. Or a cybercriminal could execute a denial of service attack by forcing vulnerable software to use a malicious proxy to tie up server resource

Do I need to worry about it?

Yes, if your server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. Languages known to be affected so far include PHP, Python, and Go.

Am I protected with Indusface Web Application Firewall?

Yes, Indusface WAF has been updated to block the exploitation.

Is there something I can do?

The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. All the affected platforms and companies have released the patches for the vulnerability that you should update.