MRatWork Forum by Mustafa Ramadhan

Sawo Project - Kloxo-MR Discussions => Kloxo-MR Bugs and Requests => Topic started by: lanuma on 2016-07-21, 10:44:20

Title: HTTPoxy Vulnerability with NGINX
Post by: lanuma on 2016-07-21, 10:44:20

HTTPoxy adalah sekumpulan vulnerabilities yang menyerang script CGI atau CGI-like (serupa CGI) yang berjalan dengan bantuan PHP, Go, Python dan bahasa pemrograman lainnya.

Penyebabnya bisa dibilang terlalu konyol, dimana header HTTP Proxy di CGI ditaruh pada variable environment HTTP_PROXY, yang kebetulan dibanyak bahasa pemrograman juga ditulis dalam variable yang sama: HTTP_PROXY. Sehingga secara teknis, menjadi vulnerabilitas yang mudah dieksploitasi secara remote.

untuk penjelasan resmi dari nginx langsung ke websitenya :D :D

https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: MRatWork on 2016-07-21, 11:42:32

Akan ada upload untuk masalah ini segera.

Hanya belum ketemu cara untuk Hiawatha.

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: fossxplorer on 2016-07-21, 13:04:50

Maybe this can help (from https://www.hiawatha-webserver.org/manpages/hiawatha): ?
"Header <key> [!]<pattern> <action>

Perform an action when the HTTP header <key> matches the regular expresion <pattern>, where <action> can be one of the following:
Ban, Call, DenyAccess, Exit, Goto, OmitRequestLog, Return, Skip or Use.
A negative pattern (leading exclamation mark) can't be used with the redirect action. The <key> can be * to test every HTTP header. Note that the wildcard means 'any header', not 'every header'."

Something like :
UrlToolKit {
ToolkitID = httpoxy
Header Proxy  !"" Ban
}

My idea test the Proxy header of value and IF NOT emtpy (""), ban it.

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: MRatWork on 2016-07-21, 13:16:16

This issue already release in https://www.hiawatha-webserver.org/weblog/115

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: MRatWork on 2016-07-21, 15:14:18

Update Kloxo-MR 7.0 to 2016072106.

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: lanuma on 2016-07-21, 18:15:03

Terima Kasih :)

Title: Re: HTTPoxy Vulnerability with NGINX
Post by: fossxplorer on 2016-07-22, 11:23:31

Awesome @Mustafa. Kloxo-MR taking security very seriously puts this control panel #1 FOSS panel!

Quote from: MRatWork on 2016-07-21, 15:14:18

Update Kloxo-MR 7.0 to 2016072106.