Ticket #921 (closed maintenance: fixed)

Opened 4 months ago

Last modified 4 months ago

HTTP_PROXY env var vulnerability

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: sam, paul Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.4

Description

See https://httpoxy.org/

Change History

comment:1 Changed 4 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.4
  • Total Hours changed from 0.0 to 0.4

This vulnerability can be tested with using the Firefox Modify Headers and livehttpheaders add ons.

I assume it isn't worth fixing PuffinServer as this is probably due to be switched off as the site has been migrated off it?

On PenguinServer, this needs adding to all ngnix config for php:

fastcgi_param HTTP_PROXY "";

And for Trac:

proxy_set_header Proxy "";

And testing via https://penguin.transitionnetwork.org/info/php-info.php and all is good.

On ParrotServer the vulnerability was tested and was present so the following was added to /etc/apache2/apache2.conf:

RequestHeader unset Proxy early

And that fixed it.

comment:2 Changed 4 months ago by chris

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.