Reference: CERT-EU Security Advisory 2016-130 Title: HTTPoxy - CGI "HTTP_PROXY" variable name clash Version history: 19/07/2016 Initial publication. Summary: ======== Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts [1]. Products Affected: ================== Web servers running in a CGI or CGI-like context, for instance: Apache HTTP web server Microsoft IIS with PHP or a CGI framework Programming languages and the following environments and clients: Language: PHP Environment: php-fpm,mod_php,Guzzle 4+ HTTP client:Artax Language: Python Environment:wsgiref.handlers.CGIHandler,twisted.web.twcgi.CGIScript HTTP client:requests Language: Go Environment: net/http/cgi HTTP client:net/http Recommendations: =============== Where applicable, affected products and components should be updated to address this vulnerability. Check with vendors for information about patching. Where patches are unavailable or updating is not an option, workarounds can be considered.[1][2][3]. References: ========== [1] http://www.kb.cert.org/vuls/id/797896 [2]https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability [3] https://httpoxy.org/ Best Regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.htmlReference: