HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed
After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18. The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy. "There is a common system environment variable called "HTTP_PROXY," which can be used to communicate the HTTP (and sometimes HTTPS) proxy settings for an outgoing HTTP proxy to an application," Red Hat explains in its advisory on HTTpoxy. "This variable has a completely different purpose and context to that of the HTTP server-script variable." Red Hat's advisory notes that applications, language libraries and scripting modules use the HTTP server script environment variable to help configure a proxy for subsequent outgoing HTTP traffic. The risk is that since the two variables can be confused, an attacker could potentially redirect a server's outgoing connection to an arbitrary location. The HTTpoxy flaw has a widespread impact, with the open-source PHP, Go, Python and HVVM languages at risk as well as the Apache HTTP and Tomcat servers. As myriad applications rely on those languages and servers, there are multiple updates from application projects as well, including the popular Drupal open-source content-management system, which powers many U.S. government Websites, including Whitehouse.gov.
Christopher Robinson, manager, Red Hat product security program management, explained that the HTTpoxy issue was first identified and fixed in 2001 in a Perl library. Perl is a popular open-source programming language.