Another day, another name: this time it’s httpoxy. In certain web server configurations, this vulnerability allows malicious users to intercept internal communications between servers or cause denial-of-service by overloading server resources. At its core, httpoxy is a simple naming conflict between two unrelated entities: an HTTP header and an environment variable.
How it Works
When a web browser sends a request to a web server, it includes a number of headers that specify information about the request. For example, browsers may send the “Accept-Language” header to tell the server to return content in a certain language if it’s available, or the “Cookie” header to pass any cookies the browser holds on to the server. Another one of those possible headers is named “Proxy.” Vulnerable server configurations will copy some of these headers into environment variables with an “HTTP” prefix, so that the web application code can easily access them. For example, the “Proxy” header will be copied into an environment variable named “HTTP_PROXY”. This is where the problem lies: the “HTTP_PROXY” environment variable is actually commonly used for an entirely different purpose: configuring HTTP proxy settings. This configuration is not something that web clients should ever be able to configure, but with this vulnerability, they can do exactly that.