Symptoms
HTTPoxy is a set of vulnerabilities that affect application code running in CGI environments also known as #CVE-2016-5387.
Odin Automation system components are confirmed to be protected from the issue. However web hosting remains affected .
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to proxy the outgoing HTTP requests made by the web application and direct them to an address of their choosing.
Additional information could obtained through httpoxy information website.
Cause
Issue comes from specifics of implementation of proxy handling:
- According to RFC 3875, webserver puts the HTTP Proxy header from a request into the environment variable HTTP_PROXY.
- HTTP_PROXY is a popular environment variable which is used to configure an outgoing proxy by many applications.
Therefore, attacker could change value for HTTP_PROXY variable via simple HTTP request.
Resolution
Linux Shared Hosting NG
Update httpd on all webservers using yum
utility:
# yum update httpd
Corresponding fixes have already been provided by Apache and CloudLinux.
Legacy Linux Shared Hosting
Additional configuration should be performed on each webserver. In files:
/usr/local/pem/etc/apache/httpd.conf_pem.tmpl22x
/usr/local/pem/etc/apache/httpd.conf_pem
Apply the changes described in the article:
# add the following line
# before first <DIRECTORY /> declaration block
RequestHeader unset Proxy early
So result will look like below:
ENABLESENDFILE Off
RequestHeader unset Proxy early
<DIRECTORY />
Then restart pemhttpd
service:
# /etc/init.d/pemhttpd restart
Windows Shared Hosting
Apply solution from the following article.
External references
Article on Redhat customer portal