Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. The Apache HTTPD server sets various environmental variables based on headers that can then be used in CGI scripts (e.g. via mod_cgi). If passed a “Proxy” header in the request Apache will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.
Acknowledgments: Name: Scott Geary (VendHQ)
Detailed write-up from the original reporter: https://httpoxy.org/ Advisory from the Apache Software Foundation (which covers httpd, and also Tomcat and Traffic Server): https://www.apache.org/security/asf-httpoxy-response.txt ASF plans to address this issue in httpd versions 2.4.24 and 2.2.32.
External References: https://access.redhat.com/security/vulnerabilities/httpoxy https://httpoxy.org/ https://www.apache.org/security/asf-httpoxy-response.txt
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1357597]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1422 https://access.redhat.com/errata/RHSA-2016:1422
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2016:1421 https://access.redhat.com/errata/RHSA-2016:1421
httpd-2.4.23-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
httpd-2.4.23-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1624 https://rhn.redhat.com/errata/RHSA-2016-1624.html
This issue has been addressed in the following products: Red Hat JBoss Core Services Apache HTTP 2.4.6 Via RHSA-2016:1625 https://rhn.redhat.com/errata/RHSA-2016-1625.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636
This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2016:1851 https://access.redhat.com/errata/RHSA-2016:1851