Safe from httpoxy Vulnerability or How Thinking Ahead Pays Off

A dangerous easy-to-exploit vulnerability called httpoxy discovered 15 years ago, reappeared again yesterday, leaving server-side website software potentially open to attackers. This security hole impacts a large number of PHP and CGI web-apps. This means that anything that runs on PHP, Apache, Go, HHVM, Python can be vulnerable. The exploit allows man-in-the-middle attacks that could compromise web servers and potentially access sensitive data or seize control of the code. Thanks to our unique in-house developed systems and some precautions taken ahead of time by our DevOps team, SiteGround customers are unaffected by the return of the vulnerability.

How does the exploit work?

The abuser crafts a specific Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application’s server. The app then, due to a naming conflict uses the proxy server defined by that variable for any of its outgoing HTTP connections. In such manner if the attacker has pointed the HTTP_PROXY at a malicious server, you can intercept the web app’s connections to other systems and, depending on how the code is designed, potentially gain remote code execution. The best immediate mitigation is to block PROXY request headers as early as possible, and before they hit your application.

How we avoided being affected by the vulnerability now?

We have our own unique in-house PHP and CGI setup that we developed in 2007 and continue to maintain and improve until today. Way back then when our DevOps team started to develop this setup, they were aware of the potential fault in using the PROXY header. That’s why, as a precaution, they decided to exclude the PROXY header from our list of allowed environment parameters. This means that we don’t even need to unset the HTTP_PROXY header as the security advisors suggest in this case, we simply do not allow it to be included in any HTTP requests.

Thanks to our knowledgeable security and systems design team, we were able to predict the possibility of a reappearance of this vulnerability and we proactively designed our systems in a way to protect our clients.

Daniel Kanchev

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

Comments ( 26 )

Eric

Jul 19, 2016

Good work Siteground Team! By far the #1 Hosting Service provider out there :)

Reply

Angelina Micheva

Jul 20, 2016

Thank you, Eric!

Reply

Alvin Gan

Jul 19, 2016

Thanks SiteGround DevOps for thinking ahead and develop great server performances with constant performance and security fixes

Reply

Angelina Micheva

Jul 20, 2016

Our DevOps team is amazing and they are true experts in what they do so your sites are safe with us.

Reply

kenny

Jul 20, 2016

Beautiful, good thinking all those years ago. Glad that you communicate this as well. Keeps us aware that you are working away behind the scenes to keep our sites safe.

Reply

Erik Joling

Jul 20, 2016

Well spoken Kenny, I totally agree!

Reply

Lauro

Jul 20, 2016

grazie alle vostre indagini adesso addirittura a tanti anni fa! ottimo lavoro di manutenzione cosi non mai la sicurezza dei nostri siti web!

Reply

John Cope

Jul 20, 2016

It's great to know that if I happen upon an article about the exploit i don't need to be concerned. One less thing for me to do, thanks for posting

Reply

abrham assefa

Jul 21, 2016

I proud the siteground Team, and am happy being user customer

Reply

Chris Olsen

Aug 10, 2016

Thank you! Glad my sites are hosted with you. Let's me focus on the website and not worry about hosting.

Reply

Alain

Aug 10, 2016

That's why I am a happy Siteground customer since years :)

Reply

Brian A

Aug 10, 2016

Thank you yet again to all at SiteGround.com for helping to keep your networks better protected - and therefore all the websites installed on them, and for letting us know about some of the great work you do "in the background".

Reply

Thomas Whittaker

Aug 10, 2016

#PeaceOfMind When you have SG has your BUDDY :)

Reply

Jag

Aug 10, 2016

Thank you! It is comforting. Jag KudosWall.com

Reply

Alisa natal

Aug 11, 2016

You guys rock! Loving the decision to move myself and all my clients over to you. SO much better, you make life of managing a bunch of sites so much easier. Thanks!

Reply

Ken Weill Lumacad

Aug 11, 2016

That's good news. I'm proud to be with SiteGround. Migrating to SiteGround was the best choice I made for my websites. Kudos to the SiteGround team.

Reply

aj

Aug 11, 2016

the best hosting services and support team. thanks site ground

Reply

Rodel

Aug 11, 2016

Best Hosting Provider Ever :) Good Siteground.... I'm so Happy.................... 101 Best Hosting..

Reply

Shayan

Aug 11, 2016

You were not my first web hosting, but seems like you are the last I will ever try :) Good luck SG.

Reply

Geoff

Aug 11, 2016

Delighted with my switch in hosting to Siteground. A******* customer service and product. Thanks guys

Reply

Jarold Villanueva

Aug 11, 2016

Nice work... Two thumbs up.... Best Hosting Ever... :-)

Reply

Carla

Aug 11, 2016

Well done Team SiteGround! Thanks for keeping us updated.

Reply

Jaswinder Kaur

Aug 11, 2016

I am happy to be SG customer! Thanks.

Reply

Mohd Shahrizan Ahmad Yusof

Aug 13, 2016

Your Super Technical Team is second to none and a perfect match with your infamous Support Team which proven as best support in the world (as written in EVERY FORUMS / WEBS). I always wondered, if with your regular support already make us felt like VIP customers. Then I believe, with your so-called Premium Support will definitely make us feel like Royal Treatment! As in your technical team, you guys never stop to amazes us with your continuos dedication. I'm glad I chose SG as my first web-hosting company. After almost a year being your customer, I believe that is best decision I ever made.

Reply

Jan

May 21, 2017

Hi everyone, I am planning to host an Django-cms app. Which python3 version(s) are you supporting? Kind regards, Jan Nusselder

Reply

Hristo Pandjarov Siteground Team

May 22, 2017

Right now we have 2.7.5 and 2.4.3 available on our servers but we will be adding another version (3rd branch) for our customers shortly!

Reply

Start discussion

Ready to get your website started?

Choose a hosting plan, start or migrate your site in a few clicks, and grow your online presence!

Get Started Chat with an expert