Safe from httpoxy Vulnerability or How Thinking Ahead Pays Off

httpoxy-vulnerability

A dangerous easy-to-exploit vulnerability called httpoxy discovered 15 years ago, reappeared again yesterday, leaving server-side website software potentially open to attackers. This security hole impacts a large number of PHP and CGI web-apps. This means that anything that runs on PHP, Apache, Go, HHVM, Python can be vulnerable. The exploit allows man-in-the-middle attacks that could compromise web servers and potentially access sensitive data or seize control of the code. Thanks to our unique in-house developed systems and some precautions taken ahead of time by our DevOps team, SiteGround customers are unaffected by the return of the vulnerability.

How does the exploit work?

The abuser crafts a specific Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application's server. The app then, due to a naming conflict uses the proxy server defined by that variable for any of its outgoing HTTP connections. In such manner if the attacker has pointed the HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code is designed, potentially gain remote code execution. The best immediate mitigation is to block PROXY request headers as early as possible, and before they hit your application.

How we avoided being affected by the vulnerability now?

We have our own unique in-house PHP and CGI setup that we developed in 2007 and continue to maintain and improve until today. Way back then when our DevOps team started to develop this setup, they were aware of the potential fault in using the PROXY header. That’s why, as a precaution, they decided to exclude the PROXY header from our list of allowed environment parameters. This means that we don’t even need to unset the HTTP_PROXY header as the security advisors suggest in this case, we simply do not allow it to be included in any HTTP requests.

Thanks to our knowledgeable security and systems design team, we were able to predict the possibility of a reappearance of this vulnerability and we proactively designed our systems in a way to protect our clients.

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

26 Comments

  1. Reply July 19, 2016 / 10:45 EricSiteGround Team

    Good work Siteground Team!

    By far the #1 Hosting Service provider out there πŸ™‚

    • Reply July 20, 2016 / 00:52 Angelina MichevaSiteGround Team

      Thank you, Eric!

  2. Reply July 19, 2016 / 11:21 Alvin GanSiteGround Team

    Thanks SiteGround DevOps for thinking ahead and develop great server performances with constant performance and security fixes

    • Reply July 20, 2016 / 01:30 Angelina MichevaSiteGround Team

      Our DevOps team is amazing and they are true experts in what they do so your sites are safe with us.

  3. Reply July 20, 2016 / 06:16 kennySiteGround Team

    Beautiful, good thinking all those years ago. Glad that you communicate this as well. Keeps us aware that you are working away behind the scenes to keep our sites safe.

    • Reply July 20, 2016 / 07:24 Erik JolingSiteGround Team

      Well spoken Kenny, I totally agree!

  4. Reply July 20, 2016 / 07:53 LauroSiteGround Team

    grazie alle vostre indagini adesso addirittura a tanti anni fa! ottimo lavoro di manutenzione cosi non mai la sicurezza dei nostri siti web!

  5. Reply July 20, 2016 / 17:58 John CopeSiteGround Team

    It's great to know that if I happen upon an article about the exploit i don't need to be concerned. One less thing for me to do, thanks for posting

  6. Reply July 21, 2016 / 00:36 abrham assefaSiteGround Team

    I proud the siteground Team, and am happy being user customer

  7. Reply August 10, 2016 / 09:51 Chris OlsenSiteGround Team

    Thank you! Glad my sites are hosted with you. Let's me focus on the website and not worry about hosting.

  8. Reply August 10, 2016 / 09:56 AlainSiteGround Team

    That's why I am a happy Siteground customer since years πŸ™‚

  9. Reply August 10, 2016 / 10:31 Brian ASiteGround Team

    Thank you yet again to all at SiteGround.com for helping to keep your networks better protected - and therefore all the websites installed on them, and for letting us know about some of the great work you do "in the background".

  10. Reply August 10, 2016 / 12:49 Thomas WhittakerSiteGround Team

    #PeaceOfMind When you have SG has your BUDDY πŸ™‚

  11. Reply August 10, 2016 / 15:06 JagSiteGround Team

    Thank you! It is comforting.

    Jag
    KudosWall.com

  12. Reply August 10, 2016 / 20:16 Alisa natalSiteGround Team

    You guys rock! Loving the decision to move myself and all my clients over to you. SO much better, you make life of managing a bunch of sites so much easier. Thanks!

  13. Reply August 10, 2016 / 21:44 Ken Weill LumacadSiteGround Team

    That's good news. I'm proud to be with SiteGround.
    Migrating to SiteGround was the best choice I made for my websites.

    Kudos to the SiteGround team.

  14. Reply August 10, 2016 / 22:11 ajSiteGround Team

    the best hosting services and support team. thanks site ground

  15. Reply August 10, 2016 / 22:11 RodelSiteGround Team

    Best Hosting Provider Ever πŸ™‚ Good Siteground.... I'm so Happy.................... 101 Best Hosting..

  16. Reply August 11, 2016 / 01:56 ShayanSiteGround Team

    You were not my first web hosting, but seems like you are the last I will ever try πŸ™‚
    Good luck SG.

  17. Reply August 11, 2016 / 04:10 GeoffSiteGround Team

    Delighted with my switch in hosting to Siteground. A******* customer service and product. Thanks guys

  18. Reply August 11, 2016 / 05:24 Jarold VillanuevaSiteGround Team

    Nice work... Two thumbs up.... Best Hosting Ever... πŸ™‚

  19. Reply August 11, 2016 / 07:03 CarlaSiteGround Team

    Well done Team SiteGround! Thanks for keeping us updated.

  20. Reply August 11, 2016 / 09:33 Jaswinder KaurSiteGround Team

    I am happy to be SG customer!

    Thanks.

  21. Reply August 13, 2016 / 04:54 Mohd Shahrizan Ahmad YusofSiteGround Team

    Your Super Technical Team is second to none and a perfect match with your infamous Support Team which proven as best support in the world (as written in EVERY FORUMS / WEBS). I always wondered, if with your regular support already make us felt like VIP customers. Then I believe, with your so-called Premium Support will definitely make us feel like Royal Treatment!

    As in your technical team, you guys never stop to amazes us with your continuos dedication. I'm glad I chose SG as my first web-hosting company. After almost a year being your customer, I believe that is best decision I ever made.

  22. Reply May 21, 2017 / 07:18 JanSiteGround Team

    Hi everyone,

    I am planning to host an Django-cms app. Which python3 version(s) are you supporting?

    Kind regards,

    Jan Nusselder

    • Reply May 22, 2017 / 00:48 Hristo PandjarovSiteGround Team

      Right now we have 2.7.5 and 2.4.3 available on our servers but we will be adding another version (3rd branch) for our customers shortly!

Reply

* (Required)