HTTPoxy CGI Vulnerabilities Fix

A serious vulnerability was recently discovered based on how Linux uses CGI script execution for PHP, Python, Go and other scripting language.

httpoxy is the name given to a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.

Best advice is to patch as soon as possible as Linux vendors have started releasing patches. But immediate mitigation before patching can be performed by blocking ‘Proxy’ request headers as early as possible before they hit your application. httproxy.org has this spelled out in detail for Nginx/FastCGI and others web servers.

For EasyEngine users

Just run  ee update command and it will take care of blocking proxy request header.

We also updated our custom Nginx builds which has necessary patch.

Either way, you will get same result so you better go ahead with ee update.

Link: EasyEngine v3.7.2 Release

3 responses to “HTTPoxy CGI Vulnerabilities Fix”

  1. any eta about perdomain hosting pool and support for per domain FTP access ?

  2. It is great to see Easy Engine developers keep up date with the latest security issue. This is why I choose Easy Engine!

  3. Update from version EasyEngine 3.5.3 crushed my nginx (ee update command)
    Reason: replaced nginx.conf where was uncommented string “server_names_hash_bucket_size 128;”
    I hope you will find more safety way for change “powered by” string: add_header X-Powered-By “EasyEngine 3.7.2” because change full config file not perfect and unsafe design.