########################################################################
# This document provides information could be used to assist the security
# of a server against this vulnerabilities. Don't use what you learn here
# to test/check/attack a server without permission from the server owner.
# 本文档所提供之信息仅供协助提升系统安全以防范该漏洞,请勿作非授权测试或攻击用途.
# 本文檔所提供之信息僅供協助提升系統安全以防範該漏洞,請勿作非授權測試或攻擊用途.
########################################################################
HTTPoxy - Apache CGI Vulnerability
Refs:
https://httpoxy.org/
https://tools.ietf.org/html/rfc3875
https://www.hkcert.org/my_url/en/alert/16071901
https://www.apache.org/security/asf-httpoxy-response.txt
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
Testing Environment:
OS Version: CentOS release 6.8 (Final)
Apache Version: 2.2.15 (CentOS)
Apache cgi-bin Configuration(/etc/httpd/conf/httpd.conf):
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
AddHandler cgi-script .cgi .sh .pl
For testing, I created a simple testing CGI file with bash shell comand:
# vi /var/www/cgi-bin/httpoxy.sh
------------------------------------------------------------------------
#!/bin/sh
echo "Content-type: text/html"
echo "<html>"
echo "<body>"
echo "HTTP_PROXY: $HTTP_PROXY"
echo "</body>"
echo "</html>"
------------------------------------------------------------------------
Set execute permission for bash shell CGI script file:
# chmod 755 /var/www/cgi-bin/httpoxy.sh
Then try to access this CGI file with curl command, watch the return:
$ curl http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
If I try to include extra header in the request:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY: hacker_server:port
</body>
</html>
As you can see, the CGI environment variable had been changed !
Open this CGI file with browser, you should see:
(pic:httpoxy-apache-cgi-bash-1.jpg)
Try to modify header:
(pic:httpoxy-apache-cgi-bash-2.jpg)
How to fix ?Ref: https://www.apache.org/security/asf-httpoxy-response.txt
# vi /etc/httpd/conf/httpd.conf
LoadModule headers_module modules/mod_headers.so
RequestHeader unset Proxy early
Note: Above two lines enabled in the httpd.conf file will remove the "Proxy:" header from all incoming requests, before further processing; So it will mitigate "httpoxy" issues across all of the Apache CGI mechanisms, including PHP(FastCGI/CGI), Perl CGI script, Bash shell CGI script, .., and so on.
Ref: https://httpoxy.org/#fix-now
Example for using this in .htaccess files:
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>
# /etc/init.d/httpd restart
Then try to include extra header with curl command:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
You should see the HTTP_PROXY variable is empty now !
########################################################################
# This document provides information could be used to assist the security
# of a server against this vulnerabilities. Don't use what you learn here
# to test/check/attack a server without permission from the server owner.
# 本文档所提供之信息仅供协助提升系统安全以防范该漏洞,请勿作非授权测试或攻击用途.
# 本文檔所提供之信息僅供協助提升系統安全以防範該漏洞,請勿作非授權測試或攻擊用途.
########################################################################
HTTPoxy - Apache CGI Vulnerability
Refs:
https://httpoxy.org/
https://tools.ietf.org/html/rfc3875
https://www.hkcert.org/my_url/en/alert/16071901
https://www.apache.org/security/asf-httpoxy-response.txt
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
Testing Environment:
OS Version: CentOS release 6.8 (Final)
Apache Version: 2.2.15 (CentOS)
Apache cgi-bin Configuration(/etc/httpd/conf/httpd.conf):
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
AddHandler cgi-script .cgi .sh .pl
For testing, I created a simple testing CGI file with bash shell comand:
# vi /var/www/cgi-bin/httpoxy.sh
------------------------------------------------------------------------
#!/bin/sh
echo "Content-type: text/html"
echo "<html>"
echo "<body>"
echo "HTTP_PROXY: $HTTP_PROXY"
echo "</body>"
echo "</html>"
------------------------------------------------------------------------
Set execute permission for bash shell CGI script file:
# chmod 755 /var/www/cgi-bin/httpoxy.sh
Then try to access this CGI file with curl command, watch the return:
$ curl http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
If I try to include extra header in the request:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY: hacker_server:port
</body>
</html>
As you can see, the CGI environment variable had been changed !
Open this CGI file with browser, you should see:
(pic:httpoxy-apache-cgi-bash-1.jpg)
Try to modify header:
(pic:httpoxy-apache-cgi-bash-2.jpg)
How to fix ?Ref: https://www.apache.org/security/asf-httpoxy-response.txt
# vi /etc/httpd/conf/httpd.conf
LoadModule headers_module modules/mod_headers.so
RequestHeader unset Proxy early
Note: Above two lines enabled in the httpd.conf file will remove the "Proxy:" header from all incoming requests, before further processing; So it will mitigate "httpoxy" issues across all of the Apache CGI mechanisms, including PHP(FastCGI/CGI), Perl CGI script, Bash shell CGI script, .., and so on.
Ref: https://httpoxy.org/#fix-now
Example for using this in .htaccess files:
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>
# /etc/init.d/httpd restart
Then try to include extra header with curl command:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
You should see the HTTP_PROXY variable is empty now !
########################################################################
# This document provides information could be used to assist the security
# of a server against this vulnerabilities. Don't use what you learn here
# to test/check/attack a server without permission from the server owner.
# 本文档所提供之信息仅供协助提升系统安全以防范该漏洞,请勿作非授权测试或攻击用途.
# 本文檔所提供之信息僅供協助提升系統安全以防範該漏洞,請勿作非授權測試或攻擊用途.
########################################################################
HTTPoxy - Apache CGI Vulnerability
Refs:
https://httpoxy.org/
https://tools.ietf.org/html/rfc3875
https://www.hkcert.org/my_url/en/alert/16071901
https://www.apache.org/security/asf-httpoxy-response.txt
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
Testing Environment:
OS Version: CentOS release 6.8 (Final)
Apache Version: 2.2.15 (CentOS)
Apache cgi-bin Configuration(/etc/httpd/conf/httpd.conf):
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
AddHandler cgi-script .cgi .sh .pl
For testing, I created a simple testing CGI file with bash shell comand:
# vi /var/www/cgi-bin/httpoxy.sh
------------------------------------------------------------------------
#!/bin/sh
echo "Content-type: text/html"
echo "<html>"
echo "<body>"
echo "HTTP_PROXY: $HTTP_PROXY"
echo "</body>"
echo "</html>"
------------------------------------------------------------------------
Set execute permission for bash shell CGI script file:
# chmod 755 /var/www/cgi-bin/httpoxy.sh
Then try to access this CGI file with curl command, watch the return:
$ curl http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
If I try to include extra header in the request:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY: hacker_server:port
</body>
</html>
As you can see, the CGI environment variable had been changed !
Open this CGI file with browser, you should see:
(pic:httpoxy-apache-cgi-bash-1.jpg)
Try to modify header:
(pic:httpoxy-apache-cgi-bash-2.jpg)
How to fix ?Ref: https://www.apache.org/security/asf-httpoxy-response.txt
# vi /etc/httpd/conf/httpd.conf
LoadModule headers_module modules/mod_headers.so
RequestHeader unset Proxy early
Note: Above two lines enabled in the httpd.conf file will remove the "Proxy:" header from all incoming requests, before further processing; So it will mitigate "httpoxy" issues across all of the Apache CGI mechanisms, including PHP(FastCGI/CGI), Perl CGI script, Bash shell CGI script, .., and so on.
Ref: https://httpoxy.org/#fix-now
Example for using this in .htaccess files:
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>
# /etc/init.d/httpd restart
Then try to include extra header with curl command:
$ curl -H "Proxy:hacker_server:port" http://10.10.0.6/cgi-bin/httpoxy.sh
<html>
<body>
HTTP_PROXY:
</body>
</html>
You should see the HTTP_PROXY variable is empty now !
