![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
- Joined
- Aug 20, 2006
- Messages
- 13,000
The Apache Software Foundation, Red Hat, Ngnix, and others are rushing to fix httpoxy, which affects application code running in CGI or CGI-like environments and boils down to a namespace conflict that can lead to a remotely exploitable vulnerability.
These security holes can be exploited to seize control of a vulnerable web app. Basically, you abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY. The app then uses the proxy server defined by that variable for any of its outgoing connections. So, if you point HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code works, potentially gain remote code execution. It hinges on whether or not the app makes outgoing connections as part of its operation, and if they can be usefully exploited.
These security holes can be exploited to seize control of a vulnerable web app. Basically, you abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY. The app then uses the proxy server defined by that variable for any of its outgoing connections. So, if you point HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code works, potentially gain remote code execution. It hinges on whether or not the app makes outgoing connections as part of its operation, and if they can be usefully exploited.