CVE-2016-1000109: 
HHVM vulnerability analysis and mitigation

HHVM (HipHop Virtual Machine) was found to be vulnerable to a CGI application vulnerability known as 'httpoxy' (CVE-2016-1000109). The vulnerability affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive). The issue stems from HHVM not addressing RFC 3875 section 4.1.18 namespace conflicts, which could allow remote attackers to manipulate the HTTP_PROXY environment variable (NVD).

The vulnerability occurs when HHVM running in a CGI or CGI-like context assigns client request Proxy header values to internal HTTP_PROXY environment variables. This creates a namespace conflict where untrusted client data from the Proxy header gets transformed into the HTTP_PROXY environment variable, which many HTTP clients use to configure outgoing proxy settings. The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD, HTTPOXY).

When exploited, this vulnerability allows remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server through a crafted Proxy header in an HTTP request. This could potentially enable man-in-the-middle attacks on internal server subrequests or allow attackers to direct the server to initiate connections to arbitrary hosts (HTTPOXY).

The vulnerability was fixed in HHVM by ignoring the Proxy HTTP header from FastCGI requests. For affected versions, the recommended mitigation is to block or strip the Proxy header at the web server or proxy level before it reaches the application. This can be done using various web server configurations such as NGINX, Apache, or other reverse proxies (HTTPOXY, GitHub Patch).