IIS CGI HTTP_PROXY header requests may be redirected

Symptoms
When you use the IIS Common Gateway Interface (CGI) feature to host an executable program that use a certain library to redirect requests, requests may be misdirected based on the presence of a "PROXY" request header. Several web application platforms are known to use this library. These include PHP, Python and Go, among others.
Cause
CGI is an interface that allows a web server to host applications that run as executable processes. When a request is received by a web server, the server starts a new process to handle that single request. When the request is completed, the process exits. In order for the process to have access to the request data, request headers are included as environment variables that have "HTTP_" prepended to their name. Therefore, CGI processes for requests that contain a header that's named "Proxy" have an "HTTP_PROXY" environment variable that have the same value as the request header.

The cURL command line and library are commonly used to enable various kinds of applications to make requests to various kinds of servers, including web servers. This library can be configured by using command line parameters, or it can read its configuration parameters from the host process environment variables. "HTTP_PROXY" is one of the many configuration parameters that are used by cURL. "HTTP_PROXY" is used by cURL to send an HTTP request through the configured proxy.

Note This is unrelated to "HTTP_PROXY" as the representation of a client request header.

When cURL is hosted within a CGI process, and that process contains an environment variable that is named "HTTP_PROXY," cURL uses its value to send requested data through the HTTP proxy whose value is specified in the environment variable. This occurs because cURL expects that "HTTP_PROXY" is a configuration directive and not a client request header.
Workaround
To work around this issue, do not use CGI on a server that is running IIS. CGI is a largely obsolete interface that is replaced by newer and more performance-related interfaces. Specifically, PHP, Python and Go should be hosted through FastCGI on IIS. FastCGI does not use environment variables for client request headers and does not have this issue. However for PHP, some applications may use PHPs getenv() function to retrieve environment variables. Even when PHP is not hosted inside a CGI process, it replicates the CGI behavior by injecting request header values into the set of data available to its getenv() function. If you use a PHP application that retrieves HTTP_PROXY in this manner, the following mitigations of clearing the header value or rejecting requests with a PROXY header are effective.

If you do have to use CGI for some reason, either block requests that contain a request header named "Proxy" or clear the value of the header.  This is because "Proxy" is not a standard request header name and browsers will generally not send it.

To block a request that contains a Proxy header (the preferred solution), run the following command line:
appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='proxy',sizelimit='0']

Note The appcmd.exe is not typically in the path and can be found in the %systemroot%\system32\inetsrv directory

To clear the value of the header, you can use the following URL Rewrite rule:
<system.webServer>    <rewrite>        <rules>            <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">                <match url="*.*" />                <serverVariables>                    <set name="HTTP_PROXY" value="" />                </serverVariables>                <action type="None" />            </rule>        </rules>    </rewrite></system.webServer>

Note The URL Rewrite is a downloadable add-in to IIS and is not included in a default IIS installation.
Properties

Article ID: 3179800 - Last Review: 07/20/2016 20:20:00 - Revision: 2.0

Windows 10, Windows 10 Version 1511, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1, Windows RT 8.1, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2

  • atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB3179800
Feedback