HTTPoxy Vulnerability

July 19, 2016

A vulnerability named HTTPoxy affecting many PHP applications has been discovered. The vulnerability allows a malicious request to control an environment variable named HTTP_PROXY that some PHP libraries use. The fix for this vulnerability has already been applied to all servers managed by ServerPilot.

What We Have Done

We've updated all servers to ignore the Proxy request header if it is included in an HTTP(S) request received by your server. This is the recommended solution to the HTTPoxy vulnerability.

What You Should Do

No action is required by you.

How to Verify Your Server Is Patched

If you'd like to verify your server is patched or test other servers not managed by ServerPilot, you can create a file named httpoxy.php in your app's web root directory with the following contents:

<?php
if (array_key_exists('HTTP_PROXY', $_ENV)) {
    print('Vulnerable to HTTPoxy' . PHP_EOL);
} else {
    print('Not vulnerable to HTTPoxy' . PHP_EOL);
}
?>

Next, make a request for this file from the command line where you include a Proxy request header:

curl -s -H "Proxy: foo" http://YOUR_DOMAIN/httpoxy.php

The output from the above command will be "Not vulnerable to HTTPoxy" for servers that are not vulnerable to HTTPoxy.

Don't hesitate to contact us if you have any questions.