Today, HTTPoxy was discovered in the wild. This vulnerability affects some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. So far, the PHP, Python, and Go languages are known to be affected by this.
The vulnerability is caused by conflicting namespaces. A CGI or FastCGI-like interface sets environment variables based on HTTP request parameters. These can override internal variables that are used to configure the application. Further explanation of this bug can be found on the httpoxy web page.
This page suggests that the best way to fix this issue is to block “Proxy” request headers, detailed instructions have been posted for various web servers and proxy servers.
However, manually updating server configurations can be complex, error prone, and time consuming. In these cases, careful testing must be done. Even with detailed instructions, it’s hard to predict how long it is going take to protect websites from the HTTPoxy vulnerability, or if it will ever happen.
With LiteSpeed, blocking these requests is as simple as updating to the newest version of LiteSpeed Web Server.
/usr/local/lsws/admin/misc/lsup.sh -v 5.0.19
/usr/local/lsws/admin/misc/lsup.sh -v 5.1.7
All LiteSpeed users will receive a notification within 24 hours regarding this new version and the vulnerability.
LiteSpeed is the only web server provider with the capacity to practically address security vulnerabilities with such speed.
For peace of mind, LiteSpeed should be your top choice.
To get these newest versions of LiteSpeed Web Server directly visit our LiteSpeed Web Server downloads page.