Facebook
Twitter
alexonb
Basic Pleskian
read this https://httpoxy.org/#affected-summary
-
Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring. We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design. If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
-
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
Resolved fault http_proxy or not impacted?
- Thread starter alexonb
- Start date
I wonder why it takes so long to reply by Plesk. However I expect it does effect any system that uses CGI. In case of Plesk if PHP uses CGI. PHP-fastcgi for example.
I'm probably going to try what IgorG suggests in https://talk.plesk.com/threads/adding-custom-rule-to-mod_security.336303/ to add a custom rule to mod_security (https://www.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules) that is provide in the Apache section on https://httpoxy.org/#fix-now
I'm probably going to try what IgorG suggests in https://talk.plesk.com/threads/adding-custom-rule-to-mod_security.336303/ to add a custom rule to mod_security (https://www.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules) that is provide in the Apache section on https://httpoxy.org/#fix-now
SpAcEDeViL
Basic Pleskian
ah ok, i not the only one how discover this...
https://httpoxy.org/#fix-now
https://www.digitalocean.com/commun...your-server-against-the-httpoxy-vulnerability
https://httpoxy.org/#fix-now
https://www.digitalocean.com/commun...your-server-against-the-httpoxy-vulnerability
Last edited:
LinqLOL
Basic Pleskian
@SpAcEDeViL imho it's not correct way to fix it and to bad there is no official answer yet from Plesk.
Well here is the short quick fix:
And then:
Notes:
This fix only works if you use nginx with apache for PHP(fcgi). If your using NGINX and PHP-FPM this fix will not work and the fix should be done in NGINX.
About NGINX:
But getting it in NGINX is quiet some work. Well the actuall fix is easy for nginx, add:
proxy_set_header Proxy "";
in the location / directive of the vhost. Problem is that there There is no way to set the proxy_set_header Proxy directive globaly (to my knowledge). So to get it to work it needs
to be in every vhost config. You either have to make a custom nginx config template for Plesk or you have to wait till Plesk updates the vhost template.
Well here is the short quick fix:
Code:
cat >> /etc/httpd/conf.d/a_httpoxy.conf <<EOF
# httpoxy fix jul 2017
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
EOFAnd then:
Code:
service httpd restartNotes:
This fix only works if you use nginx with apache for PHP(fcgi). If your using NGINX and PHP-FPM this fix will not work and the fix should be done in NGINX.
About NGINX:
But getting it in NGINX is quiet some work. Well the actuall fix is easy for nginx, add:
proxy_set_header Proxy "";
in the location / directive of the vhost. Problem is that there There is no way to set the proxy_set_header Proxy directive globaly (to my knowledge). So to get it to work it needs
to be in every vhost config. You either have to make a custom nginx config template for Plesk or you have to wait till Plesk updates the vhost template.
Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors:
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html
All workarounds, if you want to do this manually, are well described in https://httpoxy.org/
Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html
All workarounds, if you want to do this manually, are well described in https://httpoxy.org/
Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
Any word yet on this and which versions of Plesk for Windows will be updates?
alexonb
Basic Pleskian
ok, thank verify..
I guess Plesk for Windows 12.5, maybe 12.0 will be updated.
I do not think Plesk 11.5 will be updated, because this issue is not critical (there are workarounds). Plesk 11 is now in “Extended Support” phase that means that it continue to receive patches only for critical issues. https://www.plesk.com/support/plesk-lifecycle/
