httpoxy – a CGI application vulnerability now under control on our servers
A recently re-discovered server-side application vulnerability has been sending shivers down Internet users’ spine for a couple of days now.
The so-called ‘httpoxy’ vulnerability affects applications whose code is executed in CGI or other CGI-like environments.
To address this critical issue, we have enabled automatic website and app protection for managed solutions on our web hosting platform.
What is the httpoxy vulnerability about?
The new httpoxy vulnerability opens up ‘a green corridor’ for attackers to exploit the communication between a web application and other external applications via API.
If a vulnerable web application makes an outgoing HTTP connection, this could lead to a few critical consequences:
- the outgoing HTTP requests could be proxied;
- the server could be configured to send private information to a particular address and port;
- the server resources could be exhausted by forcing the application to use a malicious proxy;
An outgoing connection could be exploited when the hacker makes a request that includes a ‘Proxy’ request header.
The CGI then turns the header into an environment variable called HTTP_PROXY, which is used to configure an outgoing proxy.
The web application in turn makes a request to a hacker-defined destination instead of the particular API. Let’s see how this translates in a real-life scenario.
Protection measures against httpoxy (Managed Services):
As soon as the httpoxy vulnerability was announced, we took immediate measures to patch all web hosting services, which are under our control.
- All shared web hosting services;
- All semi-dedicated servers;
- Hepsia Control Panel-managed OpenVZ Virtual Private Servers;
- Managed OpenVZ Virtual Private Servers;
- Hepsia Control Panel-managed dedicated servers;
- Managed dedicated servers;
Protection measures against httpoxy (Unmanaged Services):
If you are using a non-managed OpenVZ server, a KVM VPS or a dedicated server, or/and do not use the Hepsia Control Panel, then you will need to take immediate measures to protect your applications from the httpoxy vulnerability.
First of all, keep in mind that your applications are in fact immune to the httpoxy vulnerability in the following cases:
- if your applications are making API requests over an encrypted (SSL/TLS/HTTPS) connection; httpoxy only affects unencrypted requests;
- if you are not using CGI, but instead faster and better code environment alternatives that have been introduced over the last few years;
If you are using CGI, but have not yet made use of an encrypted connection, then you can easily prevent any exploit attacks by blocking the ‘Proxy’ header.
NOTE: You can check out the immediate httpoxy mitigation instructions for your particular web server and proxy at httpoxy.org