| Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896 |
| |
| Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt |
| |
| Publication: v1.0 18 July 2016 |
| |
| |
| Audience |
| -------- |
| |
| This Advisory is directed to HTTP web server administrators and users of |
| the software indicated below, including CGI developers. |
| |
| This Advisory is not directed to a general audience, especially web browser |
| users. The issues raised by the "httpoxy" class of vulnerabilities affect |
| web servers, and are not an issue for consumers of web services to address. |
| |
| |
| Background |
| ---------- |
| |
| The ASF (Apache Software Foundation) offers a number of software packages |
| which offer HTTP protocol ("Web") requests and responses, and offer the |
| developer or admininstrator CGI (Common Gateway Interface) routing through |
| these software packages. |
| |
| The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and |
| Apache Tomcat projects all offer CGI handling of HTTP requests. |
| |
| The Apache Traffic Server proxies HTTP requests, but offers no CGI support. |
| |
| Many other ASF projects utilize the HTTP protocol, but at this time we have |
| not identified any which provide CGI handling, or forward the HTTP "Proxy:" |
| header implicated in the "httpoxy" class of issues. In the event that other |
| projects discover such a defect, or can contribute to mitigating this class |
| of issues, this Advisory will be updated. |
| |
| Note especially that PHP (http://www.php.net) is not an Apache Software |
| Foundation project (this is a common point of confusion), and that this |
| Advisory does not attempt to address third-party software, scripts, |
| libraries or components affected by the "httpoxy" group of issues. |
| |
| See https://httpoxy.org/ (not affiliated with the ASF) for a complete |
| discussion of the "httpoxy" class of issues, which are not reiterated |
| in this advisory. |
| |
| The Apache Software Foundation wishes to thank Dominic Scheirlinck |
| and Scott Geary of Vend for bringing this issue to the attention of |
| the ASF Security Team for a well-coordinated community response. |
| |
| |
| Apache HTTP Server (httpd) |
| -------------------------- |
| |
| Apache HTTP Server may be configured to proxy HTTP requests as a forward |
| or reverse (gateway) proxy server, can proxy requests to a FastCGI service |
| using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi |
| or mod_cgid or the related mod_isapi service. The project's mod_fcgid |
| subproject (available as a separate add-in module) directly manages CGI |
| scripts using the FastCGI protocol. |
| |
| It may also be configured to directly host a number of external modules |
| which run CGI-style applications in-process. The server itself does not |
| modify the CGI environment in this case, however, these external modules |
| may perform such modifications of their environment variables in-process. |
| Such examples include mod_php, mod_perl and mod_wsgi. |
| |
| To mitigate "httpoxy" issues across all of the above mechanisms, the most |
| direct solution is to drop any "Proxy:" header arriving from an upstream |
| proxy server or the origin user-agent. this will mitigate the issue for any |
| vulnerable back-end server or CGI across all traffic through this server. |
| |
| The two lines below enabled in the httpd.conf file will remove the "Proxy:" |
| header from all incoming requests, before further processing; |
| |
| LoadModule headers_module {path-to}/mod_headers.so |
| |
| RequestHeader unset Proxy early |
| |
| (Users who have mod_headers compiled-in to the httpd binary must omit |
| the LoadModule directive above, others must adjust the {path-to} to point |
| to the mod_headers.so file.) |
| |
| If the administrator wishes to preserve the value of the "Proxy:" header |
| for most traffic, and only eliminate it from the CGI environment variable |
| HTTP_PROXY, a second mitigation is offered. This patch will address this |
| behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, |
| along with all other consumers of httpd's built-in environment handling. |
| |
| The bundled httpd modules all rely on ap_add_common_vars() to set up the |
| target CGI environment. The project will include the recommended patch |
| below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. |
| Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, |
| recompile and re-install httpd to obtain this mitigation. This migitation |
| has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. |
| |
| ======= Patch to httpd sources 2.4.x and 2.2.x ======= |
| --- server/util_script.c (revision 1752426) |
| +++ server/util_script.c (working copy) |
| @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r |
| else if (!strcasecmp(hdrs[i].key, "Content-length")) { |
| apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); |
| } |
| + /* HTTP_PROXY collides with a popular envvar used to configure |
| + * proxies, don't let clients set/override it. But, if you must... |
| + */ |
| +#ifndef SECURITY_HOLE_PASS_PROXY |
| + else if (!strcasecmp(hdrs[i].key, "Proxy")) { |
| + ; |
| + } |
| +#endif |
| /* |
| * You really don't want to disable this check, since it leaves you |
| * wide open to CGIs stealing passwords and people viewing them |
| ======= End Patch ======= |
| |
| |
| Apache HTTP Server (mod_fcgid) |
| ------------------------------ |
| |
| Either mitigation listed above for Apache HTTP Server (httpd) guidance above |
| also mitigates all risks for CGI's which are invoked by mod_fcgid. Therefore |
| any CVE with respect to mod_fcgid is revoked as duplicate of CVE-2016-5387. |
| |
| |
| Apache Perl Module (mod_perl) |
| ----------------------------- |
| |
| Either mitigation listed for Apache HTTP Server (httpd) guidance above |
| also mitigates "httpoxy" risks for requests which are served by mod_perl. |
| |
| Note also that the Perl LWP::HTTP package has long avoided recognizing |
| the HTTP_PROXY environment variable, when serving CGI requests. |
| |
| |
| Apache Tomcat |
| ------------- |
| |
| Apache Tomcat provides a CGI Servlet that allows to execute a CGI |
| script. The CGI Servlet isn't active in the configuration delivered by |
| the ASF and activating it requires the user to modify the web.xml delivered. |
| |
| To mitigate "httpoxy" issues in CGI Servlet there are 3 possible ways: |
| |
| 1 - Add a filter in the webapp that uses CGI scripts simple code to |
| reject the requests with PROXY headers via 400 "bad request" error. |
| Map the filter in web.xml of the webapp. Code like the following will |
| allow that: |
| +++ |
| import javax.servlet.Filter; |
| import javax.servlet.FilterConfig; |
| import javax.servlet.FilterChain; |
| import javax.servlet.http.HttpServletRequest; |
| import javax.servlet.http.HttpServletResponse; |
| import javax.servlet.ServletRequest; |
| import javax.servlet.ServletResponse; |
| import javax.servlet.ServletException; |
| |
| /* |
| * Simple filter |
| */ |
| public class PoxyFilter implements Filter { |
| |
| protected FilterConfig filterConfig; |
| |
| public void init(FilterConfig filterConfig) throws ServletException { |
| this.filterConfig = filterConfig; |
| } |
| |
| |
| public void destroy() { |
| this.filterConfig = null; |
| } |
| |
| public void doFilter(ServletRequest request, ServletResponse response, |
| FilterChain chain) throws java.io.IOException, |
| ServletException { |
| |
| |
| HttpServletRequest req = (HttpServletRequest)request; |
| HttpServletResponse res = (HttpServletResponse)response; |
| |
| String poxy = req.getHeader("proxy"); |
| if (poxy == null) { |
| // call next filter in the chain. |
| chain.doFilter(request, response); |
| } else { |
| res.sendError(400); |
| } |
| } |
| } |
| +++ |
| |
| 2 - Add a global valve to reject requests with PROXY header, create a |
| PoxyValve.java with below content, compile it and put it in a jar and |
| put the jar in the lib installation of your tomcat. Add the line <Valve |
| className="PoxyValve" /> in conf/server.xml (like after the |
| AccessLogValve) and restart Tomcat: |
| |
| +++ |
| |
| import java.io.IOException; |
| import javax.servlet.ServletException; |
| |
| import org.apache.catalina.valves.ValveBase; |
| import org.apache.catalina.connector.Request; |
| import org.apache.catalina.connector.Response; |
| |
| import org.apache.catalina.Context; |
| import org.apache.catalina.Realm; |
| import org.apache.catalina.Session; |
| |
| public class PoxyValve |
| extends ValveBase { |
| |
| public void invoke(Request request, Response response) |
| throws IOException, ServletException { |
| |
| String poxy = request.getHeader("Proxy"); |
| if (poxy != null) { |
| response.sendError(400); |
| return; |
| } |
| getNext().invoke(request, response); |
| } |
| } |
| +++ |
| |
| 3 - Fix the CGIServlet code with the following patch and recompile |
| Tomcat and replace the catalina.jar by the produced one in you |
| installation and restart Tomcat: |
| |
| +++ |
| --- java/org/apache/catalina/servlets/CGIServlet.java (revision 1724080) |
| +++ java/org/apache/catalina/servlets/CGIServlet.java (working copy) |
| @@ -1095,7 +1095,8 @@ |
| //REMIND: change character set |
| //REMIND: I forgot what the previous REMIND means |
| if ("AUTHORIZATION".equalsIgnoreCase(header) || |
| - "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) { |
| + "PROXY_AUTHORIZATION".equalsIgnoreCase(header) || |
| + "PROXY".equalsIgnoreCase(header)) { |
| //NOOP per CGI specification section 11.2 |
| } else { |
| envp.put("HTTP_" + header.replace('-', '_'), |
| +++ |
| |
| A mitigation is planned for future releases of Tomcat, tracked as |
| CVE-2016-5388, which will allow the user to prevent values like |
| HTTP_PROXY from being propagated to the CGI Servlet environment. |
| |
| |
| Apache Traffic Server (ATS) |
| --------------------------- |
| |
| Apache Traffic Server is unaffected by this class of vulnerabilities, as |
| it provides no direct CGI or FastCGI request handling. As a proxy server, |
| ATS may be configured to route requests to vulnerable CGI applications as |
| described by the "httpoxy" class of exploits. |
| |
| Apache Traffic Server can be configured to drop the HTTP "Proxy:" request |
| header from incoming requests as a mitigation, to prevent this request |
| header from being forwarded to potentially unhardened backend servers. |
| One configuration to strip the Proxy header is: |
| |
| /usr/local/etc/trafficserver/plugin.config |
| header_rewrite.so strip_proxy.conf |
| |
| /usr/local/etc/trafficserver/strip_proxy.conf |
| cond %{READ_REQUEST_HDR_HOOK} |
| rm-header Proxy |
| |
| |