https://httpoxy.org/#fix-now
I presume ASL has already added the necessary rule.
HOWEVER, what about Plesk, which in one configuration is not protected by ASL?
Plesk 10 (EOL) uses....its own webserver. I forget what. Does anybody know off-hand how/where to add the appropriate configuration directive to block this vulnerability, if it is affected?
httpoxy issue
httpoxy issue
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: httpoxy issue
Yes, we already block nonstandard headers, and for organizations that need a specific alert when this happens we also added in a specific rule to alert on these attacks 330773.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: httpoxy issue
The Plesk web server is basically Nginx.
You can add
to /etc/sw-cp-server/fastcgi_params.
Don't forget to reload the new configuration.
You can add
Code: Select all
fastcgi_param HTTP_PROXY "";
Don't forget to reload the new configuration.
Code: Select all
systemctl reload sw-cp-server.service
Lemonbit Internet Dedicated Server Management
Re: httpoxy issue
Thanks Nils.
In Plesk 10.x, the fastcgi_params file does not exist (anywhere).
Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
In Plesk 10.x, the fastcgi_params file does not exist (anywhere).
Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: httpoxy issue
No, it will be pointless to create this file.faris wrote:Thanks Nils.
In Plesk 10.x, the fastcgi_params file does not exist (anywhere).
Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
I don't run any Plesk <12 machines anymore so I wouldn't know how to mitigate this issue in the Plesk web server itself. Placing the Plesk interface behind a web application firewall will probably do the job.
Lemonbit Internet Dedicated Server Management
Re: httpoxy issue
We are now scheduled for September for our big 12.x upgrades
Until then....I never had any success with using Plesk within the ASL WAF due to 10.4.4 oddities (not ASL's fault).
Until then....I never had any success with using Plesk within the ASL WAF due to 10.4.4 oddities (not ASL's fault).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>