Quindecennial Old Httpoxy Flaw Exploited

Quindecennial old httpoxy flaw exploitedAn httpoxy security flaw from 15 years back is responsible for developers to rush into and fixing the issue. A range of server software is affected by the httpoxy flaw such as Apache HTTP, PHP engine, Apache TomCat, Python, HHVM etc. Applications running on CGI or equivalent environment are affected and this is caused by a simple namespace conflict.

A security weakness is caused as the RFC 3875 puts the HTTP proxy header from a request into environmental variables in CGI, this can be used to configure outgoing proxies. This can be exploited by attackers since it allows to execute codes remotely. Only thing needs to be done is to proxy the outgoing request to a malicious server which will force the web application to use a malicious proxy.

The httpoxy is only effective for server-side web applications and no need for any action if no code is deployed. The proxy headers should be immediately blocked for any further damage mentioned the Vend security team, guided by Dominic Scheirlinck which discovered the problem. Though the bug has been discovered way back it’s now when the severity of it has been known due to some serious security exploitation. Including a simple block of the proxy, many other quick fixes are available.