Security: 'httpoxy' Application Vulnerability and Mitigation

Follow

Applies To:
Zend Server PHP (FastCGI and Apache Module)
Web Server, Load Balancer and Gateway / Proxy in front of Zend Server

Summary (official announcement)
As you may have heard, a new vulnerability has been found to exist in multiple web servers and languages, named "httpoxy".  This vulnerability may allow remote attackers to cause HTTP requests made by backend pages (e.g. PHP or Python files) to be redirected through a proxy of the remote attacker's choosing.  This could result in multiple negative outcomes, such as compromising of data or denial of service.

While technically not a bug, this design flaw can have substantial repercussions unless mitigated.

Thankfully, it is relatively easy to mitigate this vulnerability via configuration updates to most web servers.  We recommend that all users of Zend Server take the necessary steps to update their web server configuration to block this vulnerability.

Technical
When passing HTTP header "proxy", CGI mechanism (RFC 3875) applies the value to popular http_proxy environment variable, which is used by backend languages, namely PHP.
This leads to a remote exploit vulnerability, which can make the PHP application use a choice of proxy host and port instead of the original HTTP outbound connections the application expects to be using.

How this affects PHP applications:
This can boil down to PHP library or framework code, which is not updated with this vulnerability fix, and can still rely on defined http_proxy environment (or emulated) value to open connections to a defined proxy server passed to PHP by the HTTP header 'proxy'.

Mitigation
2 optional methods can be used for mitigation:
1. Blocking offensive requests holding the "non standard" proxy HTTP header.
2. Emptying the value for proxy HTTP header, allowing the request to continue without interruption.

Applying one of the above as close to the client (or farthest from the PHP code) is the best approach.

Mitigation will NOT harm the server software because "proxy" is not a standard HTTP header and most likely never be used with normal HTTP/HTTPS flows by clients and browsers.

Mitigation regarding PHP applications:
If the HTTP header does not reach PHP, the library or framework will not use the malicious proxy and the application will be safe, even if the library of framework is not updated with a fix.

Securing internal communication with HTTPS:
This will prevent the issue first hand without blocking anything, since http_proxy is not used with HTTPS traffic.

Further Reading:
For specific technology please open https://httpoxy.org, then locate the Web Server or Load Balancer software you are using, and configure to block against possible 'proxy' header with incoming HTTP requests.

Below are common configuration resources for Zend Server installations.

Lighttpd (Zend Server GUI) under Linux / Mac
/usr/local/zend/gui/lighttpd/etc/lighttpd.conf

NginX / PHP-FPM under Linux
/etc/nginx/nginx.conf

Apache under Linux
/etc/apache2
/etc/httpd

Apache under Mac
/usr/local/zend/apache2/conf

Apache under Windows
C:\Program Files (x86)\Zend\Apache24\conf

Apache under IBM i
The conf directory: wrklnk '/www/zendsvr6/conf'
Then, edit httpd.conf according to Apache instructions for removing the proxy header.
Apply IBM PTF: PTFs to mitigate httpoxy on IBM i

IIS under Windows
%systemroot%\system32\inetsrv\config

Online References
Read about the httpoxy exploit in general - https://httpoxy.org
CVE-2016-5385 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5385
NginX blog post - https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx
Microsoft KB3179800 - https://support.microsoft.com/en-us/kb/3179800

For any updates, questions or comments, please open a support ticket and we will be happy to further assist.

Comments