httpoxy issue

Security annoucements of interest to the AtomiCorp community, such as vulnerabilities in third party applications.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

httpoxy issue

Unread post by faris »

https://httpoxy.org/#fix-now

I presume ASL has already added the necessary rule.

HOWEVER, what about Plesk, which in one configuration is not protected by ASL?

Plesk 10 (EOL) uses....its own webserver. I forget what. Does anybody know off-hand how/where to add the appropriate configuration directive to block this vulnerability, if it is affected?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: httpoxy issue

Unread post by mikeshinn »

Yes, we already block nonstandard headers, and for organizations that need a specific alert when this happens we also added in a specific rule to alert on these attacks 330773.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: httpoxy issue

Unread post by prupert »

The Plesk web server is basically Nginx.

You can add

Code: Select all

fastcgi_param  HTTP_PROXY         "";
to /etc/sw-cp-server/fastcgi_params.

Don't forget to reload the new configuration.

Code: Select all

systemctl reload sw-cp-server.service
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: httpoxy issue

Unread post by faris »

Thanks Nils.

In Plesk 10.x, the fastcgi_params file does not exist (anywhere).

Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: httpoxy issue

Unread post by prupert »

faris wrote:Thanks Nils.

In Plesk 10.x, the fastcgi_params file does not exist (anywhere).

Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
No, it will be pointless to create this file.

I don't run any Plesk <12 machines anymore so I wouldn't know how to mitigate this issue in the Plesk web server itself. Placing the Plesk interface behind a web application firewall will probably do the job.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: httpoxy issue

Unread post by faris »

We are now scheduled for September for our big 12.x upgrades :-(

Until then....I never had any success with using Plesk within the ASL WAF due to 10.4.4 oddities (not ASL's fault).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply