DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Mitigation of HTTPoxy vulnerability on Directadmin powered server

| 13:10:08 19.07.2016

On July 18th, 2016, a CGI application vulnerability, referred to as "HTTPoxy", was disclosed. An attacker can exploit vulnerable deployments by passing an HTTP Proxy header with their request, which will alter the URL used by the application when contacting backing services. This can be used to leak credentials, modify responses to the application, etc.

Here are two simple way to fix it and secure your Directadmin server against the vulnerability.

Automatic fix with Custombuild (rev 1564 or newer)

cd /usr/local/directadmin/custombuild
./build update
./build version
./build rewrite_confs

With this you should have /etc/httpd/conf/extra/httpd-default.conf and /etc/nginx/nginx_limits.conf updated. If the process failed or for any reason you need a manual update, choose the second way:

Apache Server 

This is a valid solution for both setups: for standalone Apache and Apache with a NGINX as a front-end.

echo -e "\nRequestHeader unset Proxy early" | tee -a /etc/httpd/conf/extra/httpd-includes.conf
service httpd restart

NGINX

as a Standalone Server with PHP-FPM (only)

echo 'fastcgi_param  HTTP_PROXY         "";' | tee -a /etc/nginx/fastcgi_params
mkdir /usr/local/directadmin/custombuild/custom/nginx/conf/ -p
cp -p /etc/nginx/fastcgi_params /usr/local/directadmin/custombuild/custom/nginx/conf/
service nginx restart

More reading

For those who needs more information on the subject please refer the following links:

  • https://httpoxy.org/
  • https://www.apache.org/security/asf-httpoxy-response.txt
  • http://forum.directadmin.com/showthread.php?t=53503
Tags: directadmin Apache nginx Security nginx_apache 
←  Usernames leakage on Directadmin server through phpMyAdmin logs  | Start |  Dovecot 2.2.25 fails to build with an error  →
About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




SEE HOW WE CAN HELP!
All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition