Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 17:19:31

Author Topic: HTTPoxy Vulnerability with NGINX  (Read 7516 times)

0 Members and 1 Guest are viewing this topic.

Offline lanuma

  • Valuable Member
  • *
  • Posts: 72
  • Karma: +0/-0
    • View Profile
HTTPoxy Vulnerability with NGINX
« on: 2016-07-21, 10:44:20 »
HTTPoxy adalah sekumpulan vulnerabilities yang menyerang script CGI atau CGI-like (serupa CGI) yang berjalan dengan bantuan PHP, Go, Python dan bahasa pemrograman lainnya.

Penyebabnya bisa dibilang terlalu konyol, dimana header HTTP Proxy di CGI ditaruh pada variable environment HTTP_PROXY, yang kebetulan dibanyak bahasa pemrograman juga ditulis dalam variable yang sama: HTTP_PROXY. Sehingga secara teknis, menjadi vulnerabilitas yang mudah dieksploitasi secara remote.

untuk penjelasan resmi dari nginx langsung ke websitenya :D :D

https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: HTTPoxy Vulnerability with NGINX
« Reply #1 on: 2016-07-21, 11:42:32 »
Akan ada upload untuk masalah ini segera.

Hanya belum ketemu cara untuk Hiawatha.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: HTTPoxy Vulnerability with NGINX
« Reply #2 on: 2016-07-21, 13:04:50 »
Maybe this can help (from https://www.hiawatha-webserver.org/manpages/hiawatha): ?
"Header <key> [!]<pattern> <action>

Perform an action when the HTTP header <key> matches the regular expresion <pattern>, where <action> can be one of the following:
Ban, Call, DenyAccess, Exit, Goto, OmitRequestLog, Return, Skip or Use.
A negative pattern (leading exclamation mark) can't be used with the redirect action. The <key> can be * to test every HTTP header. Note that the wildcard means 'any header', not 'every header'."

Something like :
UrlToolKit {
ToolkitID = httpoxy
Header Proxy  !"" Ban
}

My idea test the Proxy header of value and IF NOT emtpy (""), ban it.





Kloxo-MR!

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: HTTPoxy Vulnerability with NGINX
« Reply #3 on: 2016-07-21, 13:16:16 »
This issue already release in https://www.hiawatha-webserver.org/weblog/115
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: HTTPoxy Vulnerability with NGINX
« Reply #4 on: 2016-07-21, 15:14:18 »
Update Kloxo-MR 7.0 to 2016072106.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline lanuma

  • Valuable Member
  • *
  • Posts: 72
  • Karma: +0/-0
    • View Profile
Re: HTTPoxy Vulnerability with NGINX
« Reply #5 on: 2016-07-21, 18:15:03 »
Terima Kasih :)

Offline fossxplorer

  • Master
  • **
  • Posts: 640
  • Karma: +1/-0
    • View Profile
Re: HTTPoxy Vulnerability with NGINX
« Reply #6 on: 2016-07-22, 11:23:31 »
Awesome @Mustafa. Kloxo-MR taking security very seriously puts this control panel #1 FOSS panel!

Update Kloxo-MR 7.0 to 2016072106.
Kloxo-MR!

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.07 seconds with 19 queries.

web stats analysis