Web Application HTTP Poxy injection (httpoxy)

The web application uses http client library for making server-side HTTP requests. The http library used is vulnerable to httpoxy attack. The library uses environment variable "HTTP_PROXY" to configure an outgoing proxy. As specified in RFC 3875, CGI puts the "Proxy" header from a request into the environment variables as HTTP_PROXY. An attacker can make the library use malicious HTTP proxy under his/her control by sending a crafted HTTP request (by specifying the malicious proxy as value for "Proxy" header). More details are available at https://httpoxy.org/.

An attacker can divert outgoing HTTP requests made by the vulnerable application to a HTTP Server or proxy of his/her choice. Thus attacker can obtain sensitive information from these HTTP requests. The attacker can also include content of his/her choice in the response to such requests which could be used to influence business logic decisions on the application.

Use mitigation steps described at https://httpoxy.org/ The vulnerability can be mitigated by configuring the web server to remove or drop "Proxy" headers from all the incoming HTTP requests before it reaches CGI layer.