Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896
Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt
Publication: v1.0 18 July 2016
Audience
--------
This Advisory is directed to HTTP web server administrators and users of
the software indicated below, including CGI developers.
This Advisory is not directed to a general audience, especially web browser
users. The issues raised by the "httpoxy" class of vulnerabilities affect
web servers, and are not an issue for consumers of web services to address.
Background
----------
The ASF (Apache Software Foundation) offers a number of software packages
which offer HTTP protocol ("Web") requests and responses, and offer the
developer or admininstrator CGI (Common Gateway Interface) routing through
these software packages.
The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and
Apache Tomcat projects all offer CGI handling of HTTP requests.
The Apache Traffic Server proxies HTTP requests, but offers no CGI support.
Many other ASF projects utilize the HTTP protocol, but at this time we have
not identified any which provide CGI handling, or forward the HTTP "Proxy:"
header implicated in the "httpoxy" class of issues. In the event that other
projects discover such a defect, or can contribute to mitigating this class
of issues, this Advisory will be updated.
Note especially that PHP (http://www.php.net) is not an Apache Software
Foundation project (this is a common point of confusion), and that this
Advisory does not attempt to address third-party software, scripts,
libraries or components affected by the "httpoxy" group of issues.
See https://httpoxy.org/ (not affiliated with the ASF) for a complete
discussion of the "httpoxy" class of issues, which are not reiterated
in this advisory.
The Apache Software Foundation wishes to thank Dominic Scheirlinck
and Scott Geary of Vend for bringing this issue to the attention of
the ASF Security Team for a well-coordinated community response.
Apache HTTP Server (httpd)
--------------------------
Apache HTTP Server may be configured to proxy HTTP requests as a forward
or reverse (gateway) proxy server, can proxy requests to a FastCGI service
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
subproject (available as a separate add-in module) directly manages CGI
scripts using the FastCGI protocol.
It may also be configured to directly host a number of external modules
which run CGI-style applications in-process. The server itself does not
modify the CGI environment in this case, however, these external modules
may perform such modifications of their environment variables in-process.
Such examples include mod_php, mod_perl and mod_wsgi.
To mitigate "httpoxy" issues across all of the above mechanisms, the most
direct solution is to drop any "Proxy:" header arriving from an upstream
proxy server or the origin user-agent. this will mitigate the issue for any
vulnerable back-end server or CGI across all traffic through this server.
The two lines below enabled in the httpd.conf file will remove the "Proxy:"
header from all incoming requests, before further processing;
LoadModule headers_module {path-to}/mod_headers.so
RequestHeader unset Proxy early
(Users who have mod_headers compiled-in to the httpd binary must omit
the LoadModule directive above, others must adjust the {path-to} to point
to the mod_headers.so file.)
If the administrator wishes to preserve the value of the "Proxy:" header
for most traffic, and only eliminate it from the CGI environment variable
HTTP_PROXY, a second mitigation is offered. This patch will address this
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
along with all other consumers of httpd's built-in environment handling.
The bundled httpd modules all rely on ap_add_common_vars() to set up the
target CGI environment. The project will include the recommended patch
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
recompile and re-install httpd to obtain this mitigation. This migitation
has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
======= Patch to httpd sources 2.4.x and 2.2.x =======
--- server/util_script.c (revision 1752426)
+++ server/util_script.c (working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
======= End Patch =======
Apache HTTP Server (mod_fcgid)
------------------------------
Either mitigation listed above for Apache HTTP Server (httpd) guidance above
also mitigates all risks for CGI's which are invoked by mod_fcgid. Therefore
any CVE with respect to mod_fcgid is revoked as duplicate of CVE-2016-5387.
Apache Perl Module (mod_perl)
-----------------------------
Either mitigation listed for Apache HTTP Server (httpd) guidance above
also mitigates "httpoxy" risks for requests which are served by mod_perl.
Note also that the Perl LWP::HTTP package has long avoided recognizing
the HTTP_PROXY environment variable, when serving CGI requests.
Apache Tomcat
-------------
Apache Tomcat provides a CGI Servlet that allows to execute a CGI
script. The CGI Servlet isn't active in the configuration delivered by
the ASF and activating it requires the user to modify the web.xml delivered.
To mitigate "httpoxy" issues in CGI Servlet there are 3 possible ways:
1 - Add a filter in the webapp that uses CGI scripts simple code to
reject the requests with PROXY headers via 400 "bad request" error.
Map the filter in web.xml of the webapp. Code like the following will
allow that:
+++
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.ServletException;
/*
* Simple filter
*/
public class PoxyFilter implements Filter {
protected FilterConfig filterConfig;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException,
ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
String poxy = req.getHeader("proxy");
if (poxy == null) {
// call next filter in the chain.
chain.doFilter(request, response);
} else {
res.sendError(400);
}
}
}
+++
2 - Add a global valve to reject requests with PROXY header, create a
PoxyValve.java with below content, compile it and put it in a jar and
put the jar in the lib installation of your tomcat. Add the line <Valve
className="PoxyValve" /> in conf/server.xml (like after the
AccessLogValve) and restart Tomcat:
+++
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.Context;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
public class PoxyValve
extends ValveBase {
public void invoke(Request request, Response response)
throws IOException, ServletException {
String poxy = request.getHeader("Proxy");
if (poxy != null) {
response.sendError(400);
return;
}
getNext().invoke(request, response);
}
}
+++
3 - Fix the CGIServlet code with the following patch and recompile
Tomcat and replace the catalina.jar by the produced one in you
installation and restart Tomcat:
+++
--- java/org/apache/catalina/servlets/CGIServlet.java (revision 1724080)
+++ java/org/apache/catalina/servlets/CGIServlet.java (working copy)
@@ -1095,7 +1095,8 @@
//REMIND: change character set
//REMIND: I forgot what the previous REMIND means
if ("AUTHORIZATION".equalsIgnoreCase(header) ||
- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
+ "PROXY_AUTHORIZATION".equalsIgnoreCase(header) ||
+ "PROXY".equalsIgnoreCase(header)) {
//NOOP per CGI specification section 11.2
} else {
envp.put("HTTP_" + header.replace('-', '_'),
+++
A mitigation is planned for future releases of Tomcat, tracked as
CVE-2016-5388, which will allow the user to prevent values like
HTTP_PROXY from being propagated to the CGI Servlet environment.
Apache Traffic Server (ATS)
---------------------------
Apache Traffic Server is unaffected by this class of vulnerabilities, as
it provides no direct CGI or FastCGI request handling. As a proxy server,
ATS may be configured to route requests to vulnerable CGI applications as
described by the "httpoxy" class of exploits.
Apache Traffic Server can be configured to drop the HTTP "Proxy:" request
header from incoming requests as a mitigation, to prevent this request
header from being forwarded to potentially unhardened backend servers.
One configuration to strip the Proxy header is:
/usr/local/etc/trafficserver/plugin.config
header_rewrite.so strip_proxy.conf
/usr/local/etc/trafficserver/strip_proxy.conf
cond %{READ_REQUEST_HDR_HOOK}
rm-header Proxy