Security

HTTPoxy Vulnerability

Updated

The UCLA Information Security Office is providing the campus community with notice of a recently-disclosed vulnerability affecting web servers that utilize server-side scripting in CGI-like environments. This includes web servers utilizing PHP, Apache Tomcat, Python, Go, and others. The vulnerability allows attackers to remotely set the value of the environment variable HTTP_PROXY, allowing them to redirect outgoing server communication from the web server, consume web server resources, and proxy outgoing responses through other, intermediate servers.

The recommended fix for this vulnerability depends on the type of web server and corresponding CGI environment used on the server. The UCLA Information Security Office recommends that web server administrators follow the advice detailed here to configure public-facing web servers in such a way that they are no longer vulnerable to this threat.  In most cases, the recommended solution is to block the Proxy HTTP request header.

Please contact the Information Security Office at security@ucla.edu with any questions regarding this notice or for any assistance with testing and remediation.