Comments on HTTPOXY Vulnerability: How to protect and test your web server

This tutorial will show you how to protect your web server from HTTPOXY. It contains sections for the most used Linux Distributions CentOS + RHEL, Debian, and Ubuntu. The HTTPOXY vulnerability which has been found recently is a vulnerability that affects applications that run in cgi or cgi-like environments. This means that the issue affects almost all web servers including Apache and Nginx and also most PHP applications. Even the mod_php mode on apache is affected.

6 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Daniel Sommer
Reply  

AFAIK, the main config file for httpd under CentOS/Fedora is /etc/httpd/conf/httpd.conf (so, the "conf" subdirectory seems to be missing in the HowTo)

By: hsluis
Reply  

Hello Till, thanks for the information and help to get protected.This volnerability only work if you are using apache proxy, not habilitated by default, right?I test my server and get "The service has queried www.xxx.dot using httpoxy headers, but received no http_proxy request". I'm not using apache proxy. Do you think it is necesary anyway make the fix? Thanks!

By: till
Reply  

The vulnerability affects not only apache proxy, it affects also PHP, perl and other server side scripting languages a script written in that language is vulnerable, so I recommend to apply the fix. At least it should not hurt to do it.

By: hsluis
Reply  

Thanks Till!

By: hsluis
Reply  

Thanks Till.

By: Enzo2424
Reply  

Thank you for this info. Done on my ubuntu server. Great job ! :)