<div dir="ltr">Have you read over <a href="https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/">https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/</a>?</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Aug 21, 2016 at 1:53 PM, Hamza Aboulfeth <span dir="ltr"><<a href="mailto:h.aboulfeth@genious.net" target="_blank">h.aboulfeth@genious.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div bgcolor="#FFFFFF" text="#000000">Hello everyone,<br>
<br>
I finally understand what's going on here...<br>
<br>
<a href="http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/10236/python-http-proxy-header-injection-vulnerability-cve20161000110" target="_blank">http://www.trendmicro.com/<wbr>vinfo/us/threat-encyclopedia/<wbr>vulnerability/10236/python-<wbr>http-proxy-header-injection-<wbr>vulnerability-cve20161000110</a><br>
<br>
I have been a victim of this attack, nginx is also affected, is there 
any patch for this new vulnerability?<br>
<br>
Thank you,<br>
Hamza<br>
<br>
<span>

</span><br>
<blockquote style="border:0px none" type="cite">
  <div style="margin:30px 25px 10px 25px"><div style="width:100%;border-top:1px solid #edeef0;padding-top:5px">   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%">
        <a href="mailto:h.aboulfeth@genious.net" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Hamza Aboulfeth</a></div>   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:right">     <font color="#9FA2A5"><span style="padding-left:6px">August
 13, 2016 at 6:36 PM</span></font></div>    </div></div><div><div class="h5">
  <div style="color:#888888;margin-left:24px;margin-right:24px"><div>Hello,<br><br>We have 
formatted the server and installed everything over again, a week later 
the same problem occurred. All redirects are actually sent from time to 
time to another host:<br><br>[root@genious106 ~]# curl -IL -H "host: 
<a href="http://hespress.com" target="_blank">hespress.com</a>" xx.xx.xx.xx<br>HTTP/1.1 301 Moved Permanently<br>Server: 
nginx/1.10.1<br>Date: Sat, 13 Aug 2016 13:31:28 GMT<br>Content-Type: 
text/html<br>Content-Length: 185<br>Connection: keep-alive<br>Location: 
<a href="http://1755118211" target="_blank">http://1755118211</a><br>.com/<br>dbg-redirect: nginx<br><br>HTTP/1.1 302 
Found<br>Server: nginx/1.2.1<br>Date: Sat, 13 Aug 2016 13:31:17 GMT<br>Content-Type:
 text/html; charset=iso-8859-1<br>Connection: keep-alive<br>Set-Cookie: 
orgje=2PUrADQAAgABACUhr1f__<wbr>yUhr1dAAAEAAAAlIa9XMgACAAEAJSG<wbr>vV___JSGvVwA-; 
expires=Sun, 13-Aug-2017 13:31:17 GMT; path=/; domain=<a href="http://traffsell.com" target="_blank">traffsell.com</a><br>Location:
 <a href="http://triuch.com/6lo1I" target="_blank">http://triuch.com/6lo1I</a><br><br>HTTP/1.1 200 OK<br>Server: nginx<br>Date:
 Sat, 13 Aug 2016 13:31:17 GMT<br>Content-Type: text/html; charset=utf-8<br>Connection:
 keep-alive<br>Vary: Accept-Encoding<br>Vary: Accept-Encoding<br><br>[root@genious106
 ~]#<br><br>Even php redirect requests are rerouted.<br><br>Please 
advice,<br>Hamza<br><br></div></div>
  </div></div><div style="margin:30px 25px 10px 25px"><div style="width:100%;border-top:1px solid #edeef0;padding-top:5px">   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%">
        <a href="mailto:francis@daoine.org" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Francis Daly</a></div>   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:right">     <font color="#9FA2A5"><span style="padding-left:6px">July 
16, 2016 at 8:47 AM</span></font></div>    </div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px"><span class=""><div>On Fri, Jul 15, 2016 at 
10:58:07PM +0100, Hamza Aboulfeth wrote:<br><br>Hi there,<br><br></div></span><div><br><span class="">If
 that x.x.x.x is enough to make sure that this request gets to your<br>nginx,
 then your nginx config is probably involved.<br><br>If this only 
started yesterday, then changes since yesterday (or since<br>your nginx 
was last restarted before yesterday) are probably most<br>interesting.<br><br>And
 as a very long shot: if you can "tcpdump" to see that nginx is sending<br>one
 thing, but the client is receiving something else, then you'll want<br>to
 look outside nginx at something else interfering with the traffic.<br><br>Good
 luck with it,<br><br>      f<br></span></div></div>
  <div style="margin:30px 25px 10px 25px"><div style="width:100%;border-top:1px solid #edeef0;padding-top:5px">   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%">
        <a href="mailto:h.aboulfeth@genious.Net" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Hamza Aboulfeth</a></div>   <div style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:right">     <font color="#9FA2A5"><span style="padding-left:6px">July 
15, 2016 at 10:58 PM</span></font></div>    </div></div>
  <div style="color:#888888;margin-left:24px;margin-right:24px">Hello,
<br><span class="">
<br>I have a weird problem that suddenly appeared on a client's website 
yesterday. We have a redirection from non www to www and sometimes the 
redirection sends somewhere else:
<br>
<br>[root@genious33 nginx-1.11.2]# curl -IL -H "host: <a href="http://hespress.com" target="_blank">hespress.com</a>" 
x.x.x.x
<br></span>HTTP/1.1 301 Moved Permanently
<br>Server: nginx/1.11.2
<br>Date: Fri, 15 Jul 2016 21:54:06 GMT
<br><span class="">Content-Type: text/html
<br>Content-Length: 185
<br>Connection: keep-alive
<br></span>Location: <a href="http://1755118213" target="_blank">http://1755118213</a>
<br><span class="">.com/
<br>dbg-redirect: nginx
<br>
<br>HTTP/1.1 302 Found
<br>Server: nginx/1.2.1
<br></span>Date: Fri, 15 Jul 2016 21:52:37 GMT
<br><span class="">Content-Type: text/html; charset=iso-8859-1
<br>Connection: keep-alive
<br></span>Set-Cookie: orgje=JbgbADQAAgABACVbiVf__<wbr>yVbiVdAAAEAAAAlW4lXAA--; 
expires=Sat, 15-Jul-2017 21:52:37 GMT; path=/; domain=<a href="http://traffsell.com" target="_blank">traffsell.com</a>
<br>Location: <a href="http://m.xxx.com/" target="_blank">http://m.xxx.com/</a>
<br>
<br>HTTP/1.1 200 OK
<br>Date: Fri, 15 Jul 2016 21:52:37 GMT
<br>Content-Type: text/html; charset=UTF-8
<br>Connection: keep-alive
<br>Set-Cookie: __cfduid=<wbr>d5624eb7a789e21f082873681ec36a<wbr>41b1468619557; 
expires=Sat, 15-Jul-17 21:52:37 GMT; path=/; domain=.<a href="http://hibapress.com" target="_blank">hibapress.com</a>; 
HttpOnly
<br>X-Powered-By: PHP/5.3.27
<br>X-LiteSpeed-Cache: hit
<br>Vary: Accept-Encoding
<br>X-Turbo-Charged-By: LiteSpeed
<br>Server: cloudflare-nginx
<br>CF-RAY: 2c307148667c3f77-YUL
<br>
<br>Sometimes it acts as it should sometimes it redirect somewhere else
<br>
<br>If you have any clue about what's happening, do help me :)
<br>
<br>Thank you,
<br>Hamza
<br><span class="">
<br>______________________________<wbr>_________________
<br>nginx mailing list
<br><a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a>
<br><a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a>
<br></span></div>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br></div>