Safe from httpoxy Vulnerability or How Thinking Ahead Pays Off
A dangerous easy-to-exploit vulnerability called httpoxy discovered 15 years ago, reappeared again yesterday, leaving server-side website software potentially open to attackers. This security hole impacts a large number of PHP and CGI web-apps. This means that anything that runs on PHP, Apache, Go, HHVM, Python can be vulnerable. The exploit allows man-in-the-middle attacks that could compromise web servers and potentially access sensitive data or seize control of the code. Thanks to our unique in-house developed systems and some precautions taken ahead of time by our DevOps team, SiteGround customers are unaffected by the return of the vulnerability.
How does the exploit work?
The abuser crafts a specific Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application’s server. The app then, due to a naming conflict uses the proxy server defined by that variable for any of its outgoing HTTP connections. In such manner if the attacker has pointed the HTTP_PROXY at a malicious server, you can intercept the web app’s connections to other systems and, depending on how the code is designed, potentially gain remote code execution. The best immediate mitigation is to block PROXY request headers as early as possible, and before they hit your application.
How we avoided being affected by the vulnerability now?
We have our own unique in-house PHP and CGI setup that we developed in 2007 and continue to maintain and improve until today. Way back then when our DevOps team started to develop this setup, they were aware of the potential fault in using the PROXY header. That’s why, as a precaution, they decided to exclude the PROXY header from our list of allowed environment parameters. This means that we don’t even need to unset the HTTP_PROXY header as the security advisors suggest in this case, we simply do not allow it to be included in any HTTP requests.
Thanks to our knowledgeable security and systems design team, we were able to predict the possibility of a reappearance of this vulnerability and we proactively designed our systems in a way to protect our clients.
Comments ( 26 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Eric
Good work Siteground Team! By far the #1 Hosting Service provider out there :)
Angelina Micheva
Thank you, Eric!
Alvin Gan
Thanks SiteGround DevOps for thinking ahead and develop great server performances with constant performance and security fixes
Angelina Micheva
Our DevOps team is amazing and they are true experts in what they do so your sites are safe with us.
kenny
Beautiful, good thinking all those years ago. Glad that you communicate this as well. Keeps us aware that you are working away behind the scenes to keep our sites safe.
Erik Joling
Well spoken Kenny, I totally agree!
Lauro
grazie alle vostre indagini adesso addirittura a tanti anni fa! ottimo lavoro di manutenzione cosi non mai la sicurezza dei nostri siti web!
John Cope
It's great to know that if I happen upon an article about the exploit i don't need to be concerned. One less thing for me to do, thanks for posting
abrham assefa
I proud the siteground Team, and am happy being user customer
Chris Olsen
Thank you! Glad my sites are hosted with you. Let's me focus on the website and not worry about hosting.
Alain
That's why I am a happy Siteground customer since years :)
Brian A
Thank you yet again to all at SiteGround.com for helping to keep your networks better protected - and therefore all the websites installed on them, and for letting us know about some of the great work you do "in the background".
Thomas Whittaker
#PeaceOfMind When you have SG has your BUDDY :)
Jag
Thank you! It is comforting. Jag KudosWall.com
Alisa natal
You guys rock! Loving the decision to move myself and all my clients over to you. SO much better, you make life of managing a bunch of sites so much easier. Thanks!
Ken Weill Lumacad
That's good news. I'm proud to be with SiteGround. Migrating to SiteGround was the best choice I made for my websites. Kudos to the SiteGround team.
aj
the best hosting services and support team. thanks site ground
Rodel
Best Hosting Provider Ever :) Good Siteground.... I'm so Happy.................... 101 Best Hosting..
Shayan
You were not my first web hosting, but seems like you are the last I will ever try :) Good luck SG.
Geoff
Delighted with my switch in hosting to Siteground. A******* customer service and product. Thanks guys
Jarold Villanueva
Nice work... Two thumbs up.... Best Hosting Ever... :-)
Carla
Well done Team SiteGround! Thanks for keeping us updated.
Jaswinder Kaur
I am happy to be SG customer! Thanks.
Mohd Shahrizan Ahmad Yusof
Your Super Technical Team is second to none and a perfect match with your infamous Support Team which proven as best support in the world (as written in EVERY FORUMS / WEBS). I always wondered, if with your regular support already make us felt like VIP customers. Then I believe, with your so-called Premium Support will definitely make us feel like Royal Treatment! As in your technical team, you guys never stop to amazes us with your continuos dedication. I'm glad I chose SG as my first web-hosting company. After almost a year being your customer, I believe that is best decision I ever made.
Jan
Hi everyone, I am planning to host an Django-cms app. Which python3 version(s) are you supporting? Kind regards, Jan Nusselder
Hristo Pandjarov Siteground Team
Right now we have 2.7.5 and 2.4.3 available on our servers but we will be adding another version (3rd branch) for our customers shortly!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through