HTTPoxy is a set of vulnerabilities that affect application code running in CGI environments also known as CVE-2016-5387.
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to proxy the outgoing HTTP requests made by the web application and direct them to an address of their choosing.
More information could obtained through httpoxy information website.
Currently all three web hosting technologies, provided by OA, are vulnerable: Linux Shared Hosting NG, Legacy Linux Shared Hosting and Windows Shared Hosting. Providers need to perform additional actions listed below to ensure that webhosting environment is protected from httpoxy.
Issue comes from specifics of implementation of proxy handling:
- According to RFC 3875, webserver puts the HTTP Proxy header from a request into the environment variable HTTP_PROXY.
- HTTP_PROXY is a popular environment variable which is used to configure an outgoing proxy by many applications.
Therefore, attacker could change value for HTTP_PROXY variable via simple HTTP request.
Linux Shared Hosting NG
Update httpd on all webservers using
# yum update httpd
Corresponding fixes have already been provided by Apache and CloudLinux.
Legacy Linux Shared Hosting
Additional configuration should be performed on each webserver. In files:
Apply the changes described in the article:
# add the following line # before first <DIRECTORY /> declaration block RequestHeader unset Proxy early
So result will look like below:
ENABLESENDFILE Off RequestHeader unset Proxy early <DIRECTORY />
# /etc/init.d/pemhttpd restart
Windows Shared Hosting
Apply solution from the following article.