You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A CGI application vulnerability (in 2016)
for PHP, Go, Python and others
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header.
The text was updated successfully, but these errors were encountered:
Thanks @ko1nksm. Looks like this is a server-side vulnerability. The CGI environment is out of scope for cli-guidelines. Being able to use an HTTP proxy as a client is still necessary in many environments, and CLI apps should consider supporting it.
The environment variables can be specified in lower case or upper case. The lower case version has precedence. http_proxy is an exception as it is only available in lower case.
Using an environment variable to set the proxy has the same effect as using the -x, --proxy option.
Wget supports proxies for both HTTP and FTP retrievals. The standard way to specify proxy location, which Wget recognizes, is using the following environment variables:
http_proxy
https_proxy
If set, the http_proxy and https_proxy variables should contain the URLs of the proxies for HTTP and HTTPS connections respectively.
https://httpoxy.org/
The text was updated successfully, but these errors were encountered: