1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
https://www.apache.org/security/asf-httpoxy-response.txt
Apache HTTP Server may be configured to proxy HTTP requests as a forward
or reverse (gateway) proxy server, can proxy requests to a FastCGI service
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
subproject (available as a separate add-in module) directly manages CGI
scripts using the FastCGI protocol.
It may also be configured to directly host a number of external modules
which run CGI-style applications in-process. The server itself does not
modify the CGI environment in this case, however, these external modules
may perform such modifications of their environment variables in-process.
Such examples include mod_php, mod_perl and mod_wsgi.
To mitigate "httpoxy" issues across all of the above mechanisms, the most
direct solution is to drop any "Proxy:" header arriving from an upstream
proxy server or the origin user-agent. this will mitigate the issue for any
vulnerable back-end server or CGI across all traffic through this server.
The two lines below enabled in the httpd.conf file will remove the "Proxy:"
header from all incoming requests, before further processing;
LoadModule headers_module {path-to}/mod_headers.so
RequestHeader unset Proxy early
(Users who have mod_headers compiled-in to the httpd binary must omit
the LoadModule directive above, others must adjust the {path-to} to point
to the mod_headers.so file.)
If the administrator wishes to preserve the value of the "Proxy:" header
for most traffic, and only eliminate it from the CGI environment variable
HTTP_PROXY, a second mitigation is offered. This patch will address this
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
along with all other consumers of httpd's built-in environment handling.
The bundled httpd modules all rely on ap_add_common_vars() to set up the
target CGI environment. The project will include the recommended patch
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
recompile and re-install httpd to obtain this mitigation. This migitation
has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
======= Patch to httpd sources 2.4.x and 2.2.x =======
--- server/util_script.c (revision 1752426)
+++ server/util_script.c (working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
|
