Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

A 15 year-old security vulnerability rears its ugly head again

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 19, 2016

A critical but relatively easy-to-exploit security vulnerability discovered in 2001 has come back to haunt system admins everywhere, leaving server-side website software potentially open to hackers.

For their part, the Apache Software Foundation, Red Hat, CentOS, Ngnix and a few others have rushed to warn Linux developers of the so-called httpoxy flaw, specifically-- CVE-2016-5385 in PHP; CVE-2016-5386 in Go; CVE-2016-5387 in the Apache HTTP server; CVE-2016-5388 in Apache TomCat; CVE-2016-1000109 in PHP-engine HHVM; and CVE-2016-1000110 in Python.

This security flaw, present in various web apps and specific libraries, can be exploited to rummage around backstage of vulnerable websites, and potentially access sensitive data or seize control of the code.

Here's how it works: if potential hackers abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application's server, the app then (due to a naming conflict) uses the proxy server defined by that variable for any of its outgoing HTTP connections.

If you point HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code is designed, potentially gain remote code execution.

It then hinges on whether or not the app makes outgoing connections as part of its operation or not, and if these can be usefully exploited.

"If you're running PHP or CGI, you should block the Proxy header now," said Vend infrastructure engineer Dominic Scheirlinck, who coordinated the disclosure of these security flaws with software various makers.

We had an early look at the details prior to today's public announcement. There are security advisories available now from Apache, Red Hat, U.S. CERT, Nginx, and Drupal with more details.

"For its part, httpoxy is extremely easy to exploit in its basic form, and we expect security researchers to be able to scan for it quickly. If you're not deploying code, you don't need to worry," added Scheirlinck.

But code that makes outgoing HTTP connections to look up information or perform some other task while running in a server-side CGI context is potentially open to easy attack, he said.

It may still be possible to siphon off sensitive internal records, or feed corrupt data into apps, by injecting a man-in-the-middle proxy server into the system.

"For example, if you are using a Drupal plugin that uses Guzzle 6 and it makes an outgoing HTTP request (for example, to check a weather API), you are vulnerable to the request that plugin makes being 'httpoxied'," Scheirlinck asserted.

He added that attackers can easily direct vulnerable servers to open connections to an evil machine's IP address, and waste server resources by running traffic through malicious proxies.

Scheirlinck said the security vulnerability is down to a basic namespace conflict:

  • RFC 3875 (CGI) places the HTTP Proxy header from a request into an environment variable called HTTP_PROXY.
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.
  • Exploitation is possible if just one vulnerable library is used, such as Guzzle or Artax, while processing incoming HTTP requests.
  • This security issue is apalling considering that it's been discovered more than fifteen long years ago and is unacceptable knowing what we know now.

    Source: Red Hat.

    Sponsered ads:
    Read the latest IT news. Visit ItDirection.net. Updated several times daily.

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.


    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer