Vulnerability details and summary from the <http://bobao.360.cn/learning/detail/2903.html>
httpoxy is a newly exposed vulnerability is mainly present in apache and other components in the HTTP header of the Proxy Field name is converted to“HTTP_PROXY”, Value value is unchanged, and thus will be passed to the corresponding CGI to execute. If the CGI or the script used in the external request of the Assembly relies on the“HTTP_PROXY”environment variable, then it may be contaminated.
More serious situation is in the CGI inside the request the connection is one that relates to the internal privacy of the links, that is likely more severe.
Principle things fundamental“Preface“also encompasses, here is a simple test example.
In there create one called“360sec.sh“, the content is as follows
The analog to do a request, note where the Proxy field 220.127.116.11:3000 is I do a proxy
Request done, you can 18.104.22.168 see 22.214.171.124 request Note: actually wget and curl with the lowercase of“http_proxy“, not Is this affect, the examples for convenience I modified the next, is essentially the same.
Glad and not glad that 1. A lot of internal API or using the trusted ssl communication, so that the actual is not affected 2. Although https://httpoxy. org/ cite some examples, but the looks did not affect so much 3. The most fun is wget/curl is not affected, there are other objections can be fed over 4. But to the evil mindset look at, the estimated next going to start the outbreak of various attack posture, do not determine up the kind of posture
Calm down, look at this hole, but it's a depressing repair work.
To already have the insider link.