63 lines
3 KiB
Text
63 lines
3 KiB
Text
https://www.apache.org/security/asf-httpoxy-response.txt
|
|
|
|
Apache HTTP Server may be configured to proxy HTTP requests as a forward
|
|
or reverse (gateway) proxy server, can proxy requests to a FastCGI service
|
|
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
|
|
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
|
|
subproject (available as a separate add-in module) directly manages CGI
|
|
scripts using the FastCGI protocol.
|
|
|
|
It may also be configured to directly host a number of external modules
|
|
which run CGI-style applications in-process. The server itself does not
|
|
modify the CGI environment in this case, however, these external modules
|
|
may perform such modifications of their environment variables in-process.
|
|
Such examples include mod_php, mod_perl and mod_wsgi.
|
|
|
|
To mitigate "httpoxy" issues across all of the above mechanisms, the most
|
|
direct solution is to drop any "Proxy:" header arriving from an upstream
|
|
proxy server or the origin user-agent. this will mitigate the issue for any
|
|
vulnerable back-end server or CGI across all traffic through this server.
|
|
|
|
The two lines below enabled in the httpd.conf file will remove the "Proxy:"
|
|
header from all incoming requests, before further processing;
|
|
|
|
LoadModule headers_module {path-to}/mod_headers.so
|
|
|
|
RequestHeader unset Proxy early
|
|
|
|
(Users who have mod_headers compiled-in to the httpd binary must omit
|
|
the LoadModule directive above, others must adjust the {path-to} to point
|
|
to the mod_headers.so file.)
|
|
|
|
If the administrator wishes to preserve the value of the "Proxy:" header
|
|
for most traffic, and only eliminate it from the CGI environment variable
|
|
HTTP_PROXY, a second mitigation is offered. This patch will address this
|
|
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
|
|
along with all other consumers of httpd's built-in environment handling.
|
|
|
|
The bundled httpd modules all rely on ap_add_common_vars() to set up the
|
|
target CGI environment. The project will include the recommended patch
|
|
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
|
|
Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
|
|
recompile and re-install httpd to obtain this mitigation. This migitation
|
|
has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
|
|
|
|
======= Patch to httpd sources 2.4.x and 2.2.x =======
|
|
|
|
--- server/util_script.c (revision 1752426)
|
|
+++ server/util_script.c (working copy)
|
|
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
|
|
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
|
|
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
|
|
}
|
|
+ /* HTTP_PROXY collides with a popular envvar used to configure
|
|
+ * proxies, don't let clients set/override it. But, if you must...
|
|
+ */
|
|
+#ifndef SECURITY_HOLE_PASS_PROXY
|
|
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
|
|
+ ;
|
|
+ }
|
|
+#endif
|
|
/*
|
|
* You really don't want to disable this check, since it leaves you
|
|
* wide open to CGIs stealing passwords and people viewing them
|