Httpoxy vulnerability

DrMartin · July 18, 2016, 3:50pm

Affects PHP, more information can be found here: https://httpoxy.org/

Can be blocked in NGINX by adding:
fastcgi_param HTTP_PROXY “”;

And in Apache:
RequestHeader unset Proxy early

JoshData · July 18, 2016, 4:04pm

Hello. Please open an issue on our github repository for tracking this issue. (Things that we really don’t want to forget about are better on github.)

just4t · July 19, 2016, 5:29pm

Thanks @DrMartin, temporarily patched ‘nginx’ by adding:

fastcgi_param HTTP_PROXY "";

To: /etc/nginx/fastcgi_params file.

Additional info. from DO about that, available here: How to Protect Your Server Against the HTTPoxy Vulnerability | DigitalOcean
For web-servers managed with Serverpilot available here: HTTPoxy Vulnerability - ServerPilot

just4t · July 28, 2016, 9:57am

@JoshData noticed @yodax provided a patch here then, knowing that’s a security fix about HTTPoxy vulnerability have you plans to merge It to ‘master’ and/or to release a new official release, soon? Thanks in advance.

JoshData · July 28, 2016, 5:24pm

Thanks for the ping. I’ve left a comment on the github issue & PR.

system · September 17, 2016, 3:50pm

This topic was automatically closed after 61 days. New replies are no longer allowed.