• Your cart is empty
  •  

SimplerCloud Pte Ltd

×
×

News: Security Advisory: HTTPoxy Vulnerability

Published: 28/07/2016 Back

This advisory is provided as a courtesy.

We would like to bring to your attention that a new security vulnerability on CGI application, called HTTPoxy, was disclosed last week. The vulnerability specifically affects web applications running PHP and CGI, so if you are not running web applications on your servelet, you are not affected.


The vulnerability is caused by a name-space conflict between HTTP_PROXY environment variable used by HTTP proxy client header on a HTTP request and HTTP_PROXY environment variable commonly used to configure outgoing proxy server, which causes a remotely expolitable vulnerability


Impact


The conflict causes a remotely exploitable vulnerability where a malicious attacker can proxy outgoing HTTP requests made by web application, make the server to establish outgoing connections to an unkonwn address and port, and tie up server resources using malicious proxy, among others.


Affected Server


It is an application-level vulnerability, and not operating system (OS) level vulnerability. It affects mainly web applications which are running PHP and CGI, regardless of the operating system (OS) being used. If your web application is running CGI scripts or codes, then most likely your application is affected.


How to Fix the Problem


The easiest way to mitigate the problem is to block proxy request headers on your web server application, before it reaches your application. The method varies depending on the web server application being used.


- Apache:


Add below 2 lines on your Apache configuration (httpd.conf or apache2.conf depending on whether you're running CentOS or Ubuntu/Debian):


===
LoadModule headers_module {path-to}/mod_headers.so
RequestHeader unset Proxy early
===


More information:


https://www.apache.org/security/asf-httpoxy-response.txt


- Nginx:


You can add below parameter to your Nginx's FastCGI configuration:


===
fastcgi_param HTTP_PROXY "";
===


More information:


https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/


More information


https://httpoxy.org/
https://access.redhat.com/security/vulnerabilities/httpoxy


Request Assistance


If needed, we can perform the above mitigation for your web server for a one-hour system admin fee of $50. Please submit your order at Order -> Additional Services -> System Admin (Per Hour) and put the necessary details on the scope of work.

Or please first open a support ticket and give us the hostname, IP address and OS template. You can find this information on your servelet's control panel.

For example:

Hostname: test-dd
IP Address: 103.25.202.81
OS Template: CentOS 6.5 (64-bit) 20140123a

Thank you.