{"id":771,"date":"2017-02-24T12:49:24","date_gmt":"2017-02-24T12:49:24","guid":{"rendered":"http:\/\/reseller-hosting-themes.com\/wordpress\/?p=771"},"modified":"2017-03-13T14:57:55","modified_gmt":"2017-03-13T14:57:55","slug":"full-protection-httpoxy-cgi-vulnerability-all-servers","status":"publish","type":"post","link":"https:\/\/reseller-hosting-themes.com\/wordpress\/full-protection-httpoxy-cgi-vulnerability-all-servers\/","title":{"rendered":"Full protection from httpoxy CGI vulnerability on all servers"},"content":{"rendered":"

\"httpoxyOne of the main causes for discomfort among Internet users lately is a recently re-discovered server-side application vulnerability – httpoxy.<\/p>\n

It affects applications whose code is executed in CGI or other CGI-like environments.<\/p>\n

One of the measures taken\u00a0in order to address this vulnerability was to enable automatic website and app protection for managed solutions on the\u00a0web hosting platform.<\/p>\n

How does the ‘httpoxy’ vulnerability work?<\/h2>\n

The reason why the ‘httpoxy’ vulnerability presents such a threat is the fact that it provides ‘a green corridor’ for individuals with malicious intentions – thus allowing them to exploit the communication between a web application and other external applications via API.<\/p>\n

Some of the unwanted consequences of a vulnerable web application making an outgoing HTTP connection are:<\/p>\n

\u2022 the outgoing HTTP requests could be proxied
\n\u2022 the server can be\u00a0configured to send private information to a particular address and port
\n\u2022 it forces\u00a0the application to use a malicious proxy
\n\u2022 it exhausts the server resources<\/p>\n

In case a hacker makes a request that includes a \u2018Proxy\u2019 request header – an outgoing connection can be\u00a0exploited.<\/p>\n

The aforementioned header is subsequently turned by the CGI into an environment variable called HTTP_PROXY.\u00a0In turn it configures an outgoing proxy.<\/p>\n

Afterwards, the web application makes a request to a destination selected by the hacker rather than to the particular API.<\/p>\n

Protection measures against ‘httpoxy’ (Managed Services):<\/h2>\n

We patched all of the web hosting services that are under our control the instant we were informed about the ‘httpoxy’ vulnerability.<\/p>\n

Among these web hosting services are:
\n\u2022 All web hosting services<\/a>
\n\u2022 All semi-dedicated servers<\/a>
\n\u2022 Hepsia Control Panel-managed OpenVZ Virtual Private Servers
\n\u2022 Managed OpenVZ Virtual Private Servers<\/a>
\n\u2022 Hepsia Control Panel-managed dedicated servers
\n\u2022 Managed dedicated servers<\/a><\/p>\n

Protection measures against ‘httpoxy’ (Unmanaged Services):<\/h2>\n

You will have to take immediate measures to protect your applications from the ‘httpoxy’ vulnerability – provided you are using a non-managed OpenVZ server, a KVM VPS or a dedicated server, or\/and do not use the Hepsia Control Panel<\/a>.<\/p>\n

In the following cases your applications are immune to the ‘httpoxy’ vulnerability:<\/p>\n

\u2022 since ‘httpoxy’ only affects unencrypted requests, your applications would be totally safe if they are making API requests over an encrypted (SSL\/TLS\/HTTPS) connection
\n\u2022 if you use one of the many faster and better code environment alternatives of CGI that were\u00a0introduced over the last few years<\/p>\n

Another solution that would keep you safe in case you are using CGI with no encrypted connection is to block the \u2018Proxy\u2019 header.<\/p>\n","protected":false},"excerpt":{"rendered":"

Learn more about httpoxy and how to protect your accounts and servers from this PHP vulnerability. Users with managed services are already secured.<\/p>\n","protected":false},"author":1,"featured_media":1033,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/posts\/771"}],"collection":[{"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/comments?post=771"}],"version-history":[{"count":10,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/posts\/771\/revisions"}],"predecessor-version":[{"id":1236,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/posts\/771\/revisions\/1236"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/media\/1033"}],"wp:attachment":[{"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/media?parent=771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/categories?post=771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reseller-hosting-themes.com\/wordpress\/wp-json\/wp\/v2\/tags?post=771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}