Safe from httpoxy Vulnerability or How Thinking Ahead Pays Off
A dangerous easy-to-exploit vulnerability called httpoxy discovered 15 years ago, reappeared again yesterday, leaving server-side website software potentially open to attackers. This security hole impacts a large number of PHP and CGI web-apps. This means that anything that runs on PHP, Apache, Go, HHVM, Python can be vulnerable. The exploit allows man-in-the-middle attacks that could compromise web servers and potentially access sensitive data or seize control of the code. Thanks to our unique in-house developed systems and some precautions taken ahead of time by our DevOps team, SiteGround customers are unaffected by the return of the vulnerability.
How does the exploit work?
The abuser crafts a specific Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application’s server. The app then, due to a naming conflict uses the proxy server defined by that variable for any of its outgoing HTTP connections. In such manner if the attacker has pointed the HTTP_PROXY at a malicious server, you can intercept the web app’s connections to other systems and, depending on how the code is designed, potentially gain remote code execution. The best immediate mitigation is to block PROXY request headers as early as possible, and before they hit your application.
How we avoided being affected by the vulnerability now?
We have our own unique in-house PHP and CGI setup that we developed in 2007 and continue to maintain and improve until today. Way back then when our DevOps team started to develop this setup, they were aware of the potential fault in using the PROXY header. That’s why, as a precaution, they decided to exclude the PROXY header from our list of allowed environment parameters. This means that we don’t even need to unset the HTTP_PROXY header as the security advisors suggest in this case, we simply do not allow it to be included in any HTTP requests.
Thanks to our knowledgeable security and systems design team, we were able to predict the possibility of a reappearance of this vulnerability and we proactively designed our systems in a way to protect our clients.