Facebook
Twitter
alexonb
Basic Pleskian
read this https://httpoxy.org/#affected-summary
-
Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
-
We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies! -
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
Resolved fault http_proxy or not impacted?
- Thread starter alexonb
- Start date
I wonder why it takes so long to reply by Plesk. However I expect it does effect any system that uses CGI. In case of Plesk if PHP uses CGI. PHP-fastcgi for example.
I'm probably going to try what IgorG suggests in https://talk.plesk.com/threads/adding-custom-rule-to-mod_security.336303/ to add a custom rule to mod_security (https://www.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules) that is provide in the Apache section on https://httpoxy.org/#fix-now
I'm probably going to try what IgorG suggests in https://talk.plesk.com/threads/adding-custom-rule-to-mod_security.336303/ to add a custom rule to mod_security (https://www.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules) that is provide in the Apache section on https://httpoxy.org/#fix-now
SpAcEDeViL
Basic Pleskian
ah ok, i not the only one how discover this...
https://httpoxy.org/#fix-now
https://www.digitalocean.com/commun...your-server-against-the-httpoxy-vulnerability
https://httpoxy.org/#fix-now
https://www.digitalocean.com/commun...your-server-against-the-httpoxy-vulnerability
Last edited:
LinqLOL
Basic Pleskian
@SpAcEDeViL imho it's not correct way to fix it and to bad there is no official answer yet from Plesk.
Well here is the short quick fix:
And then:
Notes:
This fix only works if you use nginx with apache for PHP(fcgi). If your using NGINX and PHP-FPM this fix will not work and the fix should be done in NGINX.
About NGINX:
But getting it in NGINX is quiet some work. Well the actuall fix is easy for nginx, add:
proxy_set_header Proxy "";
in the location / directive of the vhost. Problem is that there There is no way to set the proxy_set_header Proxy directive globaly (to my knowledge). So to get it to work it needs
to be in every vhost config. You either have to make a custom nginx config template for Plesk or you have to wait till Plesk updates the vhost template.
Well here is the short quick fix:
Code:
cat >> /etc/httpd/conf.d/a_httpoxy.conf <<EOF
# httpoxy fix jul 2017
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
EOFAnd then:
Code:
service httpd restartNotes:
This fix only works if you use nginx with apache for PHP(fcgi). If your using NGINX and PHP-FPM this fix will not work and the fix should be done in NGINX.
About NGINX:
But getting it in NGINX is quiet some work. Well the actuall fix is easy for nginx, add:
proxy_set_header Proxy "";
in the location / directive of the vhost. Problem is that there There is no way to set the proxy_set_header Proxy directive globaly (to my knowledge). So to get it to work it needs
to be in every vhost config. You either have to make a custom nginx config template for Plesk or you have to wait till Plesk updates the vhost template.
Apache (search CVE-2016-5387) is already fixed by all Linux OS vendors:
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html
All workarounds, if you want to do this manually, are well described in https://httpoxy.org/
Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
https://security-tracker.debian.org/tracker/CVE-2016-5387
https://www.suse.com/security/cve/CVE-2016-5387.html
https://rpmfind.net/linux/RPM/cento...httpd-tools-2.4.6-40.el7.centos.4.x86_64.html
https://rpmfind.net/linux/RPM/cento...ckages/httpd-2.2.15-54.el6.centos.x86_64.html
https://rpmfind.net/linux/RPM/centos/updates/5.11/x86_64/RPMS/httpd-2.2.3-92.el5.centos.x86_64.html
All workarounds, if you want to do this manually, are well described in https://httpoxy.org/
Workarounds for nginx (you are affected only if you use FPM application served by nginx PHP handler) and IIS (Plesk for Windows is affected) will be implemented in Plesk, I hope soon.
Any word yet on this and which versions of Plesk for Windows will be updates?
alexonb
Basic Pleskian
ok, thank verify..
I guess Plesk for Windows 12.5, maybe 12.0 will be updated.
I do not think Plesk 11.5 will be updated, because this issue is not critical (there are workarounds). Plesk 11 is now in “Extended Support” phase that means that it continue to receive patches only for critical issues. https://www.plesk.com/support/plesk-lifecycle/
