Reference: CERT-EU Security Advisory 2016-130
Title: HTTPoxy - CGI "HTTP_PROXY" variable name clash
Version history: 19/07/2016 Initial publication.

Summary:
========
Web servers running in a CGI or CGI-like context may assign client
request Proxy header values to internal HTTP_PROXY environment
variables. This vulnerability can be leveraged to conduct
man-in-the-middle (MITM) attacks on internal subrequests or to direct
the server to initiate connections to arbitrary hosts [1].



Products Affected:
==================

Web servers running in a CGI or CGI-like context, for instance:
Apache HTTP web server
Microsoft IIS with PHP or a CGI framework


Programming languages and the following environments and clients:

Language: PHP
Environment: php-fpm,mod_php,Guzzle 4+
HTTP client:Artax

Language: Python
Environment:wsgiref.handlers.CGIHandler,twisted.web.twcgi.CGIScript
HTTP client:requests

Language: Go
Environment: net/http/cgi
HTTP client:net/http


Recommendations:
===============

Where applicable, affected products and components should be updated to
address this vulnerability. Check with vendors for information about
patching.
Where patches are unavailable or updating is not an option, workarounds
can be considered.[1][2][3].



References:
==========
[1] http://www.kb.cert.org/vuls/id/797896

[2]https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability

[3] https://httpoxy.org/


Best Regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.htmlReference: