You are here
httpoxy
Submitted on 20. July 2016 - 8:36 by rischi.
Last update on 19. January 2017 - 14:42.
Last update on 19. January 2017 - 14:42.
IDs:
CVE-2016-5385 CVE-2016-5386 CVE-2016-5387 CVE-2016-5388 CVE-2016-1000109 CVE-2016-1000110
Keywords:
cgi, proxy
Description:
By sending an HTTP request header "Proxy", attackers are able to redirect HTTP traffic from vulnerable web applications. This vulnerability called "HTTPoxy" affects CGI and CGI-like environments which create an environment variable HTTP_PROXY from the HTTP request header "Proxy".
Airlock WAF is not affected by this vulnerability and protects vulnerable back-ends by default. Airlock WAF removes any HTTP header not white-listed in the Request Action "(default) Request header whitelist".
Resolution:
Make sure that the request action "(default) Request header whitelist" which is configured on the mapping is not disabled or if you customized the action, that the HTTP header "Proxy" is removed from any request.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Does not affect back-end behind Airlock