HTTPoxy vulnerability: CVE-2016-5387


2016-11-16 12:42:41 UTC


2017-04-24 11:22:51 UTC


Was this article helpful?

Have more questions?

Submit a request

HTTPoxy vulnerability: CVE-2016-5387

Applicable to:

  • Plesk


On July 18th, a vulnerability named "HTTPoxy" was announced, affecting some server‑side web applications that run in CGI or CGI‑like environments, such as some FastCGI configurations.

Several web servers, web frameworks and programming languages (most commonly in a CGI environment) will set the environmental variable HTTP_PROXY based on data from incoming requests (e.g. a request header called Proxy with user supplied data). The environmental variable HTTP_PROXY is used by numerous web client software packages to specify a remote proxy server to use for HTTP, and in some cases HTTPS requests.

This leads to a remotely exploitable vulnerability. When a web application runs it may be possible for an attacker to specify a proxy server which the application uses for subsequent outgoing requests sent through the attacker-controlled proxy, allowing a "Man-in-the-Middle" attack. This flaw has been given the name HTTPoxy

If you’re running PHP or CGI, you should block the Proxy header now.

Additional details are available on


Under the CGI specifications, headers are provided mixed into the environment variables. (These are formally known as “ Protocol-Specific Meta-Variables ”). That’s just the way the specifications works, not a failure or bug.


Have more questions? Submit a request
Please sign in to leave a comment.