https://www.apache.org/security/asf-httpoxy-response.txt Apache HTTP Server may be configured to proxy HTTP requests as a forward or reverse (gateway) proxy server, can proxy requests to a FastCGI service using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi or mod_cgid or the related mod_isapi service. The project's mod_fcgid subproject (available as a separate add-in module) directly manages CGI scripts using the FastCGI protocol. It may also be configured to directly host a number of external modules which run CGI-style applications in-process. The server itself does not modify the CGI environment in this case, however, these external modules may perform such modifications of their environment variables in-process. Such examples include mod_php, mod_perl and mod_wsgi. To mitigate "httpoxy" issues across all of the above mechanisms, the most direct solution is to drop any "Proxy:" header arriving from an upstream proxy server or the origin user-agent. this will mitigate the issue for any vulnerable back-end server or CGI across all traffic through this server. The two lines below enabled in the httpd.conf file will remove the "Proxy:" header from all incoming requests, before further processing; LoadModule headers_module {path-to}/mod_headers.so RequestHeader unset Proxy early (Users who have mod_headers compiled-in to the httpd binary must omit the LoadModule directive above, others must adjust the {path-to} to point to the mod_headers.so file.) If the administrator wishes to preserve the value of the "Proxy:" header for most traffic, and only eliminate it from the CGI environment variable HTTP_PROXY, a second mitigation is offered. This patch will address this behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, along with all other consumers of httpd's built-in environment handling. The bundled httpd modules all rely on ap_add_common_vars() to set up the target CGI environment. The project will include the recommended patch below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, recompile and re-install httpd to obtain this mitigation. This migitation has been assigned the identifier CVE-2016-5387 . ======= Patch to httpd sources 2.4.x and 2.2.x ======= --- server/util_script.c (revision 1752426) +++ server/util_script.c (working copy) @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r else if (!strcasecmp(hdrs[i].key, "Content-length")) { apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); } + /* HTTP_PROXY collides with a popular envvar used to configure + * proxies, don't let clients set/override it. But, if you must... + */ +#ifndef SECURITY_HOLE_PASS_PROXY + else if (!strcasecmp(hdrs[i].key, "Proxy")) { + ; + } +#endif /* * You really don't want to disable this check, since it leaves you * wide open to CGIs stealing passwords and people viewing them