httpoxy

Yet Another Named Disclosure

We think it’s worthwhile to give a name to a vulnerability that’s broadly spread throughout an ecosystem (in this case PHP), and poorly documented. Especially when its age shows it to be prone to reoccur.

httpoxy has existed (and been known about) for a long time, yet new occurrences of the vulnerability were still being introduced as late as 2016. Indeed, we found a large number of feature requests for HTTP clients to add the ability to read HTTP_PROXY in Github issues.

Consider the fact that LWP, curl and Ruby teams all noticed at some point over the last 15 years, yet thousands of applications remain vulnerable today. We can only think that’s because their finding wasn’t loudly and urgently transmitted to everyone else using CGI. So, we think this calls for a slightly “louder” fix.

Disclosure Research Team

Vend
Red Hat Product Security

Thanks to everyone else who had suggestions and helped us prepare this site.

Licensing

To the extent possible under law, Dominic Scheirlinck and Vend Limited have waived all copyright and related or neighboring rights to the httpoxy disclosure page (and logo). (aka CCO).

This means you can use the logo without attribution if you'd like, and you don't need to ask for permission.

If you would like to give attribution, the logo was designed by Nicola Horlor and the team at Vend, an online retail point-of-sale company.

Contact

We are available for comment at contact@httpoxy.org, or @httpoxy on Twitter.