Dominic Scheirlinck

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server in Apple OS X versions prior to 10.12 Apache HTTP Server in OS X Server versions prior to 5.2 **Description** The issue allows remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. This is related to the HTTP PROXY environment variable and the presence of untrusted CGI client data. **Recommendations** For Apache HTTP Server in Apple OS X versions prior to 10.12, update to OS X 10.12 or later. For Apache HTTP Server in OS X Server versions prior to 5.2, update to OS X Server 5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Go versions through 1.6 **Description** The issue allows remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. This is due to the failure to address RFC 3875 section 4.1.18 namespace conflicts, which does not protect CGI applications from the presence of untrusted client data in the HTTP PROXY environment variable. An input validation flaw in the CGI components enables the HTTP PROXY environment variable to be set by the incoming Proxy header, changing where Go by default proxies all outbound HTTP requests. **Recommendations** For Go versions through 1.6, as a temporary workaround, consider restricting the use of the HTTP PROXY environment variable to minimize the risk of exploitation. Avoid using the `HTTP PROXY` variable in the affected CGI applications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.25 Apache HTTP Server versions prior to 2.2.32 **Description** The issue allows remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. This is due to the presence of untrusted client data in the HTTP PROXY environment variable. The problem arises from libraries overloading well-established CGI environment variables, specifically the `HTTP PROXY` variable. **Recommendations** For Apache HTTP Server versions prior to 2.4.25, update to version 2.4.25 or later. For Apache HTTP Server versions prior to 2.2.32, update to version 2.2.32 or later. As a temporary workaround, consider avoiding the population of the `HTTP PROXY` variable from a "Proxy:" header in the httpd CGI environment.