Fifteen-year-old server-side bug opens up websites

A remotely exploitable vulnerability in web application code, first discovered 15 years ago, has returned to haunt server admins who are being urged to take action immediately to avoid being hit.

Researchers from New Zealand point of sale software company Vend, Dominic Scheirlink, Richard Rowe, Morgan Pyne and Scott Geary, worked with Red Hat product security staffer Kurt Seifried to document the flaw, which they have nicknamed Httpoxy. 

On vulnerable applications, the Httpoxy flaw is easily exploitable, the researchers said.

Attackers can proxy outgoing HTTP requests and direct the server to open outwards connections to arbitrary IP addresses and transport control protocol (TCP) ports.

The flaw also allows for denial of service attacks, by forcing vulnerable software to use a malicous proxy to tie up server resources.

The problem lies in a namespace conflict specified in the request for comment document (RFC 3875), which outlines the functionality of the common gateway interface (CGI) for running external programs under HTTP or web servers.

RFC 3875 inserts the proxy header from requests into environment variables as HTTP_PROXY, a variable used to configure outgoing proxies, which can be abused.

Although the bug was first discovered by Perl guru Randal L Schwartz in 2001, and fixed in the libraries for the scripting language in the same year, it has resurfaced in other software over the past decade and a half. 

Vend's Scott Geary discovered in July this year that the flaw is still around in the PHP server-side scripting language, and in plenty of other modern software.

"... the bug was lying dormant for years, like a latent infection: pox. We imagine that many people may have found the issue over the years, but never investigated its scope in other languages and libraries," the researchers wrote.

Admins can prevent exploitation of httpoxy by blocking the proxy request headers as early as possible before they reach web applications. The researchers said the simplest and most convenient way to block the headers is by using a web application firewall (WAF) or by doing it directly on web servers such as Apache, Nginx, or the HAproxy load balancer.

While Microsoft's Internet Information Services (IIS) web server and ASP.NET and Active Server Pages frameworks are not directly vulnerable to httpoxy, sites running PHP or similar software on top of these need to take steps to prevent exploitation of the bug.