{"id":786,"date":"2021-07-23T12:38:10","date_gmt":"2021-07-23T12:38:10","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/cve-2016-5387-httpoxy\/"},"modified":"2021-07-23T12:38:10","modified_gmt":"2021-07-23T12:38:10","slug":"cve-2016-5387-httpoxy","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/cve-2016-5387-httpoxy\/","title":{"rendered":"CVE-2016-5387 HTTPOXY"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Background Information<\/h2>\n

On Monday, July 18, 2016, Apache disclosed a vulnerability that affects application code which runs in CGI, or CGI-like environments. This includes the mod_php<\/code> and php-fpm<\/code> Apache modules, among others. For more information on this vulnerability, read the HTTPOXY website.<\/p>\n

Impact<\/h2>\n

Environments vulnerable to this exploit include any that run PHP or CGI, and use the HTTP_PROXY<\/code> variable to configure outgoing proxies.<\/p>\n

Releases<\/h2>\n

Apache released a patch for all versions of Apache 2.2 and Apache 2.4.<\/p>\n

cPanel & WHM released patched Apache binaries for EasyApache 3 in the 3.34.2 release on July 20, 2016, and for EasyApache 4 in the July 21, 2016, release.<\/p>\n

How to determine if your server is up-to-date<\/h2>\n

In EasyApache 3, either navigate to the EasyApache<\/em> 3 interface (WHM >> Home >> Software >> EasyApache 3<\/em>) or run the \/usr\/local\/cpanel\/scripts\/easyapache<\/code> script and ensure that your EasyApache 3 version is 3.34.2<\/code> or higher.<\/p>\n

In EasyApache 4, the updated RPMs provided will contain a changelog entry with a CVE number. To view this changelog entry, run the following command:\n<\/p>\n

\n
rpm -q --changelog ea-apache24 | grep CVE-2016-5387<\/code><\/pre>\n<\/div>\n
The output will resemble the following:\n<\/p>\n
\n
- Apply recommendations in asf-httpoxy-repsponse.txt for<\/span> CVE-2016-5387<\/code><\/pre>\n<\/div>\n
What to do if you are not up-to-date<\/h2>\n
We released patched Apache binaries for EasyApache 3 on July 20, 2016, and for EasyApache 4 on July 21, 2016. To update your server, perform one of the following steps:<\/p>\n
    \n
  • Run an EasyApache 3 build to update your system to version 3.34.2.<\/li>\n
  • In EasyApache 4, run the yum update<\/code> command and ensure that you get an updated package of at least ea-apache24-2.4.23-2<\/code><\/li>\n<\/ul>\n
    Manual mitigation via mod_headers<\/h3>\n
    EasyApache 3<\/h4>\n
    To mitigate this issue before cPanel releases the update, you can update the mod_headers<\/code> Apache module to remove the \"Proxy:\"<\/code> header from all incoming requests. Add the following lines to your \/usr\/local\/apache\/conf\/httpd.conf<\/code> file:\n<\/p>\n
    \n
    \n\n\n
    \n
    1\n<\/span>2\n<\/span>3\n<\/span>4\n<\/span>5\n<\/span>6\n<\/span>7\n<\/span>8\n<\/span><\/code><\/pre>\n<\/td>\n
    		\n
    <IfModule<\/span> headers_module<\/span>>\n    #<\/span>\n    #<\/span> Avoid<\/span> passing<\/span> HTTP_PROXY<\/span> environment<\/span> to<\/span> CGI<\/span>'<\/span>s<\/span> on<\/span> this<\/span> or<\/span> any<\/span> proxied<\/span>\n    #<\/span> backend<\/span> servers<\/span> which<\/span> have<\/span> lingering<\/span> \"httpoxy\"<\/span> defects<\/span>.\n    #<\/span> '<\/span>Proxy<\/span>'<\/span> request<\/span> header<\/span> is<\/span> undefined<\/span> by<\/span> the<\/span> IETF<\/span>, not<\/span> listed<\/span> by<\/span> IANA<\/span>\n    #<\/span>\n    RequestHeader<\/span> unset<\/span> Proxy<\/span> early<\/span>\n<\/<\/span>IfModule<\/span>><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
    EasyApache 4<\/h4>\n
    To mitigate this issue before cPanel releases the update, you can update the mod_headers<\/code> Apache module to remove the \"Proxy:\"<\/code> header from all incoming requests. Add the following lines to your \/etc\/apache2\/conf\/httpd.conf<\/code> file:<\/p>\n
    \n
    \n\n\n
    \n
    1\n<\/span>2\n<\/span>3\n<\/span>4\n<\/span>5\n<\/span>6\n<\/span>7\n<\/span>8\n<\/span><\/code><\/pre>\n<\/td>\n
    		\n
    <IfModule<\/span> headers_module<\/span>>\n    #<\/span>\n    #<\/span> Avoid<\/span> passing<\/span> HTTP_PROXY<\/span> environment<\/span> to<\/span> CGI<\/span>'<\/span>s<\/span> on<\/span> this<\/span> or<\/span> any<\/span> proxied<\/span>\n    #<\/span> backend<\/span> servers<\/span> which<\/span> have<\/span> lingering<\/span> \"httpoxy\"<\/span> defects<\/span>.\n    #<\/span> '<\/span>Proxy<\/span>'<\/span> request<\/span> header<\/span> is<\/span> undefined<\/span> by<\/span> the<\/span> IETF<\/span>, not<\/span> listed<\/span> by<\/span> IANA<\/span>\n    #<\/span>\n    RequestHeader<\/span> unset<\/span> Proxy<\/span> early<\/span>\n<\/<\/span>IfModule<\/span>><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
    Manual mitigation via ModSecurity<\/h2>\n
    If you use ModSecurity\u00ae, you can add a custom ModSecurity rule to deny traffic with a Proxy header. To add this rule, perform the following steps:<\/p>\n
      \n
    1. Navigate to WHM\u2019s ModSecurity\u00ae Configuration<\/em> interface (WHM >> Home >> Security Center >> ModSecurity\u00ae Configuration<\/em>).<\/li>\n
    2. Select Process the Rules<\/em> in the Rules Engine<\/em> section.<\/li>\n
    3. Click Save.<\/li>\n
    4. Navigate to WHM\u2019s Modsecurity\u00ae Tools<\/em> interface (WHM >> Home >> Security Center >> ModSecurity\u00ae Tools<\/em>).<\/li>\n
    5. Click Rules List<\/em>. A new interface will appear.<\/li>\n
    6. Click Add Rule<\/em>.  A new interface will appear.<\/li>\n
    7. Enter the following rule in the Rule Text<\/em> text box:\n
      \n
      SecRule &REQUEST_HEADERS:Proxy \"@gt 0\"<\/span> \"id:1000005,log,deny,msg:'httpoxy denied'\"<\/span><\/code><\/pre>\n<\/div>\n<\/li>\n
    8. To enable the rule when you deploy the configuration, select the Enable Rule<\/em> checkbox.<\/li>\n
    9. To deploy the rule and restart Apache immediately, select the Deploy and Restart Apache<\/em> checkbox.<\/li>\n
    10. Click Save<\/em>.\n
      \n
      Warning:<\/div>\n
      \n
      This exploit has the potential to affect many different applications. If you experience trouble with other applications after you update your system, you must<\/strong> contact the application developer for further assistance.<\/p>\n<\/p><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
      If you still experience issues or need additional help, contact cPanel Support<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
      Background Information On Monday, July 18, 2016, Apache disclosed a vulnerability that affects application code which runs in CGI, or CGI-like environments. This includes the mod_php and php-fpm Apache modules, among others. For more information on this vulnerability, read the HTTPOXY website. Impact Environments vulnerable to this exploit include any that run PHP or CGI, …<\/p>\n","protected":false},"author":1,"featured_media":787,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/786"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=786"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/786\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/787"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}