New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPoxy Vulnerability and Caddy #955
Comments
https://golang.org/doc/devel/release.html It´s fixed 😄 @mholt do you use Golang 1.6.3 (build server) |
Caddy 0.9.0 is built with Go 1.6.3. Although FastCGI doesn't use Go's built-in transport facilities; I believe it makes a raw socket connection. I'll have to double-check, maybe get this patched in 0.9.1. |
Well, I thought we use the built-in transport facilities 😢 |
Does PHP even use the HTTP_PROXY env variable to control where to make requests through? Trying to understand the extent of this vulnerability in this context... if the web application is using an environment variable from headers (HTTP_PROXY in this case), that is its own fault, not Caddy's for passing it on to the application. There might not be anything to fix here, except your PHP app. |
After looking at the source to see how FastCGI is implemented and how environment variables are passed, Caddy (and FastCGI) does not look vulnerable. If no one else is able to prove otherwise, I think we can close this issue. |
http://php.net/ChangeLog-7.php#7.0.9
https://httpoxy.rehmann.co/ --> The service has queried domain.com using httpoxy headers, but received no http_proxy request |
UPDATE: Create a file called httpoxy.php with following content
Run:
Results: "Vulnerable!" (Ubuntu 16.04 -- non fixed PHP) PHP Script Source (https://www.lowendtalk.com/discussion/88058/info-httpoxy-vulnerability-may-impact-to-web-servers) |
Right, that's an example of a web app that would use a value from the request header to direct an HTTP request. (Image credit: https://twitter.com/rob_pike/status/617548868641656832) |
I know 😄 -- Should we "disable/remove" the header? P.S.: Nice GIF 👍 |
I guess since PHP patched the issue it's no longer needed to disable the header, people just have to update PHP :) |
I am just caring about our beloved uses! |
Update the broken software instead. |
@mholt I am not using it ! To repeat it "I am just caring about our beloved uses!" 😄 Have a nice day, thank you for Caddy -- I ❤️ it |
If the user chooses to do that then it is not fair if Caddy prevents him/her 😄 |
Original post at https://www.lowendtalk.com/discussion/88058/info-httpoxy-vulnerability-may-impact-to-web-servers
I can confirm this vulnerability exists on Caddy-based environments:
The best solution meanwhile is dropping or blocking the proxy header. I have attempted the following:
But the issue persists. I have also tried
env proxy ""
and it does the same. So, how do we strip out a header?Running Caddy 0.9.0 and PHP 7.0.
The text was updated successfully, but these errors were encountered: