Page 1 of 1
httpoxy issue
Posted: Mon Jul 18, 2016 6:48 pm
by faris
https://httpoxy.org/#fix-now
I presume ASL has already added the necessary rule.
HOWEVER, what about Plesk, which in one configuration is not protected by ASL?
Plesk 10 (EOL) uses....its own webserver. I forget what. Does anybody know off-hand how/where to add the appropriate configuration directive to block this vulnerability, if it is affected?
Re: httpoxy issue
Posted: Mon Jul 18, 2016 7:48 pm
by mikeshinn
Yes, we already block nonstandard headers, and for organizations that need a specific alert when this happens we also added in a specific rule to alert on these attacks 330773.
Re: httpoxy issue
Posted: Tue Jul 19, 2016 7:14 am
by prupert
The Plesk web server is basically Nginx.
You can add
to
/etc/sw-cp-server/fastcgi_params.
Don't forget to reload the new configuration.
Code: Select all
systemctl reload sw-cp-server.service
Re: httpoxy issue
Posted: Tue Jul 19, 2016 12:17 pm
by faris
Thanks Nils.
In Plesk 10.x, the fastcgi_params file does not exist (anywhere).
Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
Re: httpoxy issue
Posted: Thu Jul 21, 2016 5:56 am
by prupert
faris wrote:Thanks Nils.
In Plesk 10.x, the fastcgi_params file does not exist (anywhere).
Will creating one do any good? I don't know where the master config is to see if it looks for such a file if it exists.
No, it will be pointless to create this file.
I don't run any Plesk <12 machines anymore so I wouldn't know how to mitigate this issue in the Plesk web server itself. Placing the Plesk interface behind a web application firewall will probably do the job.
Re: httpoxy issue
Posted: Mon Jul 25, 2016 12:04 pm
by faris
We are now scheduled for September for our big 12.x upgrades
Until then....I never had any success with using Plesk within the ASL WAF due to 10.4.4 oddities (not ASL's fault).