Simple step to check CGI Vuln on Nginx and how to fix it

Only adding this script on your /etc/nginx/fastcgi_params

# Fix Http_proxy a cgi app Vulnerability
fastcgi_param  HTTP_PROXY  "";

and you have  done.

But if you only want to check it on your server but you dont have mod cgi, just follow me :




1. Install fcgiwrap, su nginx support feature cgi

apt-get install fcgiwrap

After the installation, the fcgiwrap daemon should already be started; its socket is /var/run/fcgiwrap.socket. If it is not running, you can use the /etc/init.d/fcgiwrap script to start it.

Now open your vhost configuration file…

vi /etc/nginx/sites-enabled/default

… and add a location /cgi-bin {} section to the server {} container:

server {
location /cgi-bin/ {
# Disable gzip (it makes scripts feel slower since they have to complete
# before getting gzipped)
gzip off;
# Set the root to /usr/lib (inside this location this means that we are
# giving access to the files under /usr/lib/cgi-bin)
root  /var/www/html;
# Fastcgi socket
fastcgi_pass  unix:/var/run/fcgiwrap.socket;
# Fastcgi parameters, include the standard ones
include /etc/nginx/fastcgi_params;
# Adjust non standard parameters (SCRIPT_FILENAME)
fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;

Reload nginx:

/etc/init.d/nginx reload

Next we create our cgi-bin directory – /var/www/html/cgi-bin because we defined root /var/www/html; in the location /cgi-bin {} container:

mkdir /var/www/html/cgi-bin

Now we place our CGI scripts in it and make them executable. For testing purposes I will create a small Hello World Perl script (instead of hello_world.cgi you can also use the extension .pl ->

vi /var/www/html/cgi-bin/hello_world.cgi
#!/usr/bin/perl -w
# Tell perl to send a html header.
# So your browser gets the output
# rather then <stdout>(command line
# on the server.)
print "Content-type: text/html\n\n";
# print your basic html tags.
# and the content of them.
print "<html><head><title>Hello World!! </title></head>\n";
print "<body><h1>Hello world</h1></body></html>\n";
chmod 755 /var/www/html/cgi-bin/hello_world.cgi

Open a browser and test the script:


and you will see “Hello World” on your browser, and if you see it, congratulation you server nginx has support CGI.

2. how to check CGI VULN

To diagnose the issue, temporarily install the following as a CGI script on your server and make it executable:

create file test.cgi

vi /var/www/html/cgi-bin/test.cgi

and this is the content, only insert it and save it.

echo "Content-Type:text/plain"
​echo ""

Then call the CGI script with a “Proxy:” request header:

curl -H ‘Proxy: AFFECTED’ http://yourdefaultwebsite/cgi-bin/test.cgi

If you see the following output, your server is unaffected:


If instead you see the following, or any other output, your server may be affected and you should apply one of the mitigations below:


Thank you, hop this can you 🙂

Reference :

1. A CGI Vulnerability
2. HTTPoxy – CGI “HTTP_PROXY” variable name clash,
3. HTTPOXY Vulnerability: How to protect and test your web server,



Please follow and like us: