
Mitigating the HTTPoxy Vulnerability with Nginx - kgogolek
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
======
rahkiin
> The vulnerability was mentioned on the NGINX mailing list in July, 2013, by
> Jonathan Matthews.

Wow, that is long ago. Why isn't this mitigated earlier? The attack is very
simple.

~~~
justinsaccount
It gets worse

[https://httpoxy.org/#history](https://httpoxy.org/#history)

March 2001 - The issue is discovered in libwww-perl and fixed. Reported by
Randal L. Schwartz.

------
drdaeman
There are mentions of Python... Does this affect WSGI applications, in
particular, uWSGI?

AFAIK, uWSGI somewhat resembles but doesn't emulate CGI (unlike how FastCGI
works), and WSGI application's `environ` parameter isn't related to
`os.environ`, so it should be safe. But I may be mistaken here...

~~~
adrianratnapala
I don't know about uWSGI, but here is what it says at httproxy.org

\----

Python code must be deployed under CGI to be vulnerable. Usually, that’ll mean
the vulnerable code will use a CGI handler like wsgiref.handlers.CGIHandler

This is not considered a normal way of deploying Python webapps (most people
are using WSGI or FastCGI, both of which are not affected),

~~~
cleeus
btw, the reference FastCGI C library libfcgi also alters the environment to
emulate legacy CGI and may also be vulnerable (haven't checked).

------
jimjag
NGINX should have really applied for a CVE instead of pretending that they are
immune.

~~~
FooBarWidget
But Nginx _isn 't_ vulnerable. All Nginx does is proxying the HTTP headers. It
is the applications that run behind Nginx that may be vulnerable depending on
how they set/use environment variables.

Saying Nginx is vulnerable is like saying that the Linux kernel is vulnerable
to heartbleed.

~~~
cleeus
I think the CGI "standard" is to be blamed.

Whoever the f*ck had the briliant idea to alter the environment variables of a
server child process through incoming HTTP headers should have his browsers
environment variables altered by the servers responses.

