Dominic Scheirlinck and the httpoxy disclosure team disclosed a vulnerability on Monday, July 18th that affects many PHP and CGI web-apps.
Many origin web applications (particularly PHP and CGI applications) unsafely trust the "HTTP_PROXY" environment variable when generating forward requests. The CGI spec (which PHP also follows) calls for the incoming header to be converted to an environment variable before executing the cgi application. The conversion specifies that "HTTP_" be prepended to the incoming header name. This means that an attacker can set the "HTTP_PROXY" environment variable for a vulnerable application by sending a "PROXY" HTTP header.
This sample request will cause "vulnerable_app.cgi" to use "some_evil.site" as a proxy for any HTTP requests that it issues.
GET /cgi-bin/vulnerable_app.cgi HTTP/1.1
Potentially affected environment variables:
What should you do if you own a vulnerable website?
Akamai has moved to protect the vast majority of its customers by blocking the HTTP headers which would alter these variables in a CGI/PHP environment.
We highly recommend that, even if you are an Akamai customer, you protect your application servers immediately, as described at httpoxy.org.