Article ID: 129398, created on Sep 12, 2016, last review on Sep 15, 2016

  • Applies to:
  • Operations Automation 7.0
  • Operations Automation 6.0
  • Operations Automation 5.5


HTTPoxy is a set of vulnerabilities that affect application code running in CGI environments also known as CVE-2016-5387.

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to proxy the outgoing HTTP requests made by the web application and direct them to an address of their choosing.

More information could obtained through httpoxy information website.

Currently all three web hosting technologies, provided by OA, are vulnerable: Linux Shared Hosting NG, Legacy Linux Shared Hosting and Windows Shared Hosting. Providers need to perform additional actions listed below to ensure that webhosting environment is protected from httpoxy.


Issue comes from specifics of implementation of proxy handling:

  1. According to RFC 3875, webserver puts the HTTP Proxy header from a request into the environment variable HTTP_PROXY.
  2. HTTP_PROXY is a popular environment variable which is used to configure an outgoing proxy by many applications.

Therefore, attacker could change value for HTTP_PROXY variable via simple HTTP request.


Linux Shared Hosting NG

Update httpd on all webservers using yum utility:

# yum update httpd

Corresponding fixes have already been provided by Apache and CloudLinux.

Legacy Linux Shared Hosting

Additional configuration should be performed on each webserver. In files:


Apply the changes described in the article:

# add the following line
# before first <DIRECTORY /> declaration block
RequestHeader unset Proxy early

So result will look like below:

RequestHeader unset Proxy early

Then restart pemhttpd service:

# /etc/init.d/pemhttpd restart

Windows Shared Hosting

Apply solution from the following article.

External references

Article on Redhat customer portal

HTTPoxy dedicated website

Search Words

proxy redirect



security vulnerability

5b048d9bddf8048a00aba7e0bdadef37 caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 0871c0b47b3b86ae3b1af4c2942cd0ce 1941880841f714e458ae4dc3d9f3062d 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF