CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.3%
Web servers running in a CGI or CGI-like context may assign client request Proxy
header values to internal HTTP_PROXY
environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts.
CWE-807: Reliance on Untrusted Inputs in a Security Decision,CWE-454: External Initialization of Trusted Variables or Data Stores
Web servers running in a CGI or CGI-like context may assign client request Proxy
header values to internal HTTP_PROXY
environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: “The HTTP header field name is converted to upper case, has all occurrences of “-” replaced with “" and has "HTTP” prepended to give the meta-variable name.”
According to the researchers, a web server is vulnerable if:
A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.
Apply an update
Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching.
Where patches are unavailable or updating is not an option, consider the following workarounds.
Filter**Proxy**
** request headers**
The researchers and community have identified several filtering strategies that are product-dependent:
Apache/CGI
In this configuration, any language may be vulnerable (the HTTP_PROXY
env var is “real”). If you are using mod_headers
, you can unset the “Proxy
” header with this directive:
RequestHeader unset Proxy
If you are using mod_security
, you can use a rule like (vary the action to taste):
SecRuleEngine On
SecRule &REQUEST_HEADERS:Proxy "@gt 0"
"id:1000005,log,deny,msg:'httpoxy denied'"
Refer to Apache’s response for more information.
HAProxy
httprequest delheader Proxy
lighttpd <= 1.4.40 (reject requests containing “Proxy” header)
Create “/path/to/deny-proxy.lua”, read-only to lighttpd, with content:
if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
Modify lighttpd.conf to load mod_magnet and run lua code
server.modules += ( "mod_magnet" ) magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
lighttpd2 (development) (strip “Proxy” header from request)
Add to lighttpd.conf:
req_header.remove "Proxy";
Nginx/FastCGI
Use this to block the Proxy
header from being passed on to PHPFPM, PHPPM, etc.
fastcgi_param HTTP_PROXY ;
Nginx with proxy_pass
The following setting should work for people who are using “proxy_pass” with nginx:
``proxy_set_header Proxy ;
Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:
Microsoft IIS Mitigation steps:
Update apphost.config
with the following rule:
<system.webServer>
<rewrite>
<rules>
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"*.*" />
<serverVariables>
<set name=3D"HTTP_PROXY" value=3D />
</serverVariables>
<action type=3D"None" />
</rule>
</rules>
</rewrite>
</system.webServer>
797896
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 12, 2016 Updated: July 18, 2016
Statement Date: July 14, 2016
Affected
The Apache Software Foundation has discovered no examples of condition 2 described in the [redacted] report, and has determined there is no “vulnerability” per se in ASF software, which conform to both RFC822 (circa 1982) and CGI/1.1 defacto standard (circa 1995, superseded by CGI/1.1 IANA spec RFC 3875).
Several ASF projects participate in HTTP requests in the manners described under condition 1. The list of projects that will offer one or more mitigations include but are not limited to;
Apache HTTP Server (httpd) (Tracked as CVE-2016-5387)
Apache Tomcat Server (Tracked as CVE-2016-5388)
Apache Traffic Server (ATS) (Tracking is not applicable)
Projects and subprojects impacted by the Apache HTTP Server mitigations will include mod_fcgid (Apache HTTP Project) and mod_perl (Apache Perl Project), as well as external projects such as mod_wsgi, all hopefully under CVE-2016-5387.
Note specifically that any CVE related to mod_fcgi[d] must be ignored, as it duplicates CVE-2016-5387. We have not reached a conclusion on separate tracking that might be unique to mod_perl itself (thus far, it also appears to duplicate -5387.)
We are not aware of further vendor information regarding this vulnerability.
Updated: July 18, 2016
Affected
We have not received a statement from the vendor.
CVE-2016-5386
Updated: July 13, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 18, 2016
Affected
We have not received a statement from the vendor.
CVE-2016-1000109
Notified: July 12, 2016 Updated: July 13, 2016
Affected
If you have installed PHP or any other third party framework on top of IIS, we recommend applying mitigation steps to protect from malicious Redirection or MiM attacks.
Mitigation:
Update apphost.config with the following rule:
<system.webServer>
<rewrite>
<rules>
<rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">
<match url=3D"." />
<serverVariables>
<set name=3D"HTTP_PROXY" value=3D />
</serverVariables>
<action type=3D"None" />
</rule>
</rules>
</rewrite>
</system.webServer>
We are not aware of further vendor information regarding this vulnerability.
Updated: July 18, 2016
Affected
We have not received a statement from the vendor.
CVE-2016-1000110
Updated: July 18, 2016
Affected
We have not received a statement from the vendor.
CVE-2016-5385
Updated: July 19, 2016
Statement Date: July 19, 2016
Affected
Mitigation of httpoxy is available in lighttpd.
Mitigation:
lighttpd <= 1.4.40 (reject requests containing “Proxy” header)
Create “/path/to/deny-proxy.lua”, read-only to lighttpd, with content:
if (lighty.request[“Proxy”] == nil) then return 0 else return 403 end
Modify lighttpd.conf to load mod_magnet and run lua code
server.modules += ( “mod_magnet” )
magnet.attract-raw-url-to = ( “/path/to/deny-proxy.lua” )
lighttpd2 (development) (strip “Proxy” header from request)
Reference:
We are not aware of further vendor information regarding this vulnerability.
Updated: July 13, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: July 12, 2016 Updated: July 12, 2016
Statement Date: July 12, 2016
Not Affected
Please find the EfficientIP’s status about VU#797896:
Vendor: EfficientIP
Status: Not Affected
Statement: No version of our software is affected by VU#797896
We are not aware of further vendor information regarding this vulnerability.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Updated: July 18, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
Notified: July 12, 2016 Updated: July 12, 2016
Unknown
We have not received a statement from the vendor.
View all 87 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.1 | AV:N/AC:H/Au:N/C:P/I:P/A:P |
Temporal | 4.6 | E:POC/RL:ND/RC:C |
Environmental | 1.1 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, CVE-2016-1000109, CVE-2016-1000110 |
---|---|
Date Public: | 2016-07-18 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.3%