HTTPoxy is a set of vulnerabilities that affect application code running in CGI environments also known as #CVE-2016-5387.
Odin Automation system components are confirmed to be protected from the issue. However web hosting remains affected .
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to proxy the outgoing HTTP requests made by the web application and direct them to an address of their choosing.
Additional information could obtained through httpoxy information website.
Issue comes from specifics of implementation of proxy handling:
- According to RFC 3875, webserver puts the HTTP Proxy header from a request into the environment variable HTTP_PROXY.
- HTTP_PROXY is a popular environment variable which is used to configure an outgoing proxy by many applications.
Therefore, attacker could change value for HTTP_PROXY variable via simple HTTP request.
Linux Shared Hosting NG
Update httpd on all webservers using
# yum update httpd
Corresponding fixes have already been provided by Apache and CloudLinux.
Legacy Linux Shared Hosting
Additional configuration should be performed on each webserver. In files:
Apply the changes described in the article:
# add the following line # before first <DIRECTORY /> declaration block RequestHeader unset Proxy early
So result will look like below:
ENABLESENDFILE Off RequestHeader unset Proxy early <DIRECTORY />
# /etc/init.d/pemhttpd restart
Windows Shared Hosting
Apply solution from the following article.