Jump to >
Review Board and the HTTPoxy Vulnerability

HTTPoxy is an old, but recently-discussed security vulnerability affecting CGI-backed web applications (and certain client-side libraries). It allows an attacker to send a Proxy HTTP header to a vulnerable web server, and have that translate into a HTTP_PROXY environment variable, which may then be used to specify an HTTP Proxy server for use by HTTP requests initiated from the server. This happens because CGI-based web applications are provided the client's HTTP headers as environment variables, converted to uppercase and prefixed with HTTP_. This is normally not a problem, but

Effectively, HTTPoxy allows an attacker to Man-in-the-Middle HTTP requests made by the web application, intercepting traffic or returning bad data.

Don't worry, Review Board is safe!

Review Board is not vulnerable to HTTPoxy, as it doesn't use CGI. Most Review Board installs use WSGI, and some older installs use mod_python or FastCGI. None of these implementations are vulnerable (despite the "CGI" in the name "FastCGI").

We'd still recommend fine-tuning your server's settings to work around the HTTPoxy vulnerability, as a precaution, particularly if you're running anything else on the server. See the HTTPoxy Mitigation instructions for further details.