HTTP Proxy Header Vulnerability ("httpoxy")
"HTTPoxy" refers to an older vulnerability in how web applications use the HTTP "Proxy" header incorrectly. The vulnerability was first described in 2001 in libwww-perl, but has survived detection in other languages and plugins until now. The vulnerability can be found in some popular implementations, but is not affecting the vast majority of web applications.
According to RFC 3875, which described CGI ("Common Gateway Interface"), the content of the "Proxy" header is assigned to the HTTP_PROXY environment variable. Like all user supplied data, this value needs to be validated, but sadly, some web applications fail to do so
The effect is that outbound web requests from the application may use a proxy provided by the user.
You are vulnerable if you are not validating the Proxy header, AND if you are using specific frameworks for outbound web requests that use the HTTP_PROXY environment variable.
For a full list of affected applications, and more details, see https://httpoxy.org . The site also suggests specific mitigation techniques, like removing the Proxy header from all inbound requests, which is probably a sound technique to minimize the impact of this issue.
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago