0

I have been doing a task on detecting if httpoxy exists on a web server. I did not have any idea about it initially. After reading from a couple of sites, I understood how it works but I'm still unclear at certain places.

My understanding: The HTTP headers value are made available to CGI programs through environment variables.

Example: If we specify PATH in the header, it gets converted to HTTP_PATH.

Doubt: If we specify a non-existing header like Proxy, Will that get converted to HTTP_PROXY which collides with the already existing HTTP_PROXY environment variable that is set for proxy?

KESHAV K
  • 49
  • 1
  • 4

1 Answers1

1

Yes. In some environments, any header Foo-Bar will be passed as an environment variable HTTP_FOO_BAR.

This means any environment variable starting with HTTP_ can't be trusted, because it can possibly be set by the user. In particular, HTTP_PROXY which often specify the outgoing proxy is a likely target.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102