Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Protecting the SafeSync for Enterprise (SSFE) server from the HTTPoxy Vulnerability

    • Updated:
    • 25 Oct 2016
    • Product/Version:
    • SafeSync for Enterprise 3.1
    • SafeSync for Enterprise 3.2
    • Platform:
    • iOS 9.2
Summary

This article illustrates how to protect your SSFE server from the HTTPoxy Vulnerability.

Details
Public

A serious vulnerability regarding how CGI scripts are used by Linux or Unix that use PHP, Go, Python, and other scripting languages has been discovered, so you want to know how to fix Httpoxy, a CGI application vulnerability on Linux or Unix for HAProxy, Varnish, Nginx, PHP, Go, Python, Tomcat, and others.

Httpoxy is a set of vulnerabilities that affect an application code running in CGI or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY.
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header. This attack uses HTTP_PROXY for Man-in-the-Middle attacks. The following web servers, web frameworks, and programming languages are affected: Servers Apache (CVE-2016-5387)/Nginx/Varnish/Httpoxy.

To remove the HTTP Proxy Header with Apache:

  1. Add "RequestHeader unset Proxy early" to /etc/apache2/apache2.conf:

    sudo sed -i '$ a\\nRequestHeader unset Proxy early' /etc/apache2/apache2.conf

  2. Restart the service if no syntax errors are reported:

    sudo service apache2 restart

To remove the HTTP Proxy Header with Nginx:

  1. Add "fastcgi_param HTTP_PROXY "";" to /etc/nginx/fastcgi_params:

    sudo sed -i '/SERVER_NAME/ a\\nfastcgi_param HTTP_PROXY \"\";' /etc/nginx/fastcgi_params

  2. Add "proxy_set_header Proxy" to /etc/nginx/nginx.conf:

    sudo sed -i '/types_hash_max_size/ a\ proxy_set_header Proxy \"\";' /etc/nginx/nginx.conf

  3. Restart the service:

    sudo service nginx restart

Download and run the following script to finish the steps automatically:

mitigation-httpoxy.sh

#! /bin/bash

# This mitigation has been assigned the identifier CVE-2016-5387
# Please refer to:
# https://httpoxy.org/#fix-now
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

if [ $(whoami) != "root" ]; then
echo "You must be root to run this script."
exit 1
fi

#Removing the HTTP Proxy Header with nginx
echo "Removing the HTTP Proxy Header with Nginx..."
sed -i '/SERVER_NAME/ a\\nfastcgi_param HTTP_PROXY \"\";' /etc/nginx/fastcgi_params
sed -i '/types_hash_max_size/ a\ proxy_set_header Proxy \"\";' /etc/nginx/nginx.conf
service nginx restart

#Removing the HTTP Proxy Header with Apache
echo "Removing the HTTP Proxy Header with Apache..."
sed -i '$ a\\nRequestHeader unset Proxy early' /etc/apache2/apache2.conf
service apache2 restart

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1115623
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.
Related Articles