Archive for the ‘Security’ Category

The HTTPoxy Vulnerability has been taken care of by LiteSpeed, automatically!

Monday, July 18th, 2016

httpoxy

Today, HTTPoxy was discovered in the wild. This vulnerability affects some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. So far, the PHP, Python, and Go languages are known to be affected by this.

The vulnerability is caused by conflicting namespaces. A CGI or FastCGI-like interface sets environment variables based on HTTP request parameters. These can override internal variables that are used to configure the application. Further explanation of this bug can be found on the httpoxy web page.

This page suggests that the best way to fix this issue is to block “Proxy” request headers, detailed instructions have been posted for various web servers and proxy servers.

However, manually updating server configurations can be complex, error prone, and time consuming. In these cases, careful testing must be done. Even with detailed instructions, it’s hard to predict how long it is going take to protect websites from the HTTPoxy vulnerability, or if it will ever happen.

With LiteSpeed, blocking these requests is as simple as updating to the newest version of LiteSpeed Web Server.

/usr/local/lsws/admin/misc/lsup.sh -v 5.0.19
or
/usr/local/lsws/admin/misc/lsup.sh -v 5.1.7

All LiteSpeed users will receive a notification within 24 hours regarding this new version and the vulnerability.

LiteSpeed is the only web server provider with the capacity to practically address security vulnerabilities with such speed.

For peace of mind, LiteSpeed should be your top choice.

To get these newest versions of LiteSpeed Web Server directly visit our LiteSpeed Web Server downloads page.

LSMCD: A Persistent, Highly Scalable and Available Memcached Replacement

Wednesday, April 13th, 2016

LSMCD

Think database web applications have to be slow? Think again! With our completely free and open source LiteSpeed Memcached, you can accelerate your site by alleviating database load dynamically!

(more…)

Real Problem, Real Solution, Really Fast
From feature request to solution delivery in less than an hour

Monday, December 28th, 2015

LiteSpeed Fast

Recently, there have been a number of large-scale brute-force attacks on WordPress sites. These attacks try to bypass WordPress security by attempting to log in with every possible combination of username and password, sometimes sending thousands of requests per second.

Since these attacks began, one of our clients had all 50 of his hosted WordPress sites simultaneously attacked. He was able to mitigate these attacks using LiteSpeed’s mod_security rules, but wanted a way to easily and automatically block these IPs at the server level.

We responded within an hour – modifying our code and publishing a new build that allowed the client to add offending IP addresses to the blocked IP list using mod_security rules. These IPs can then be easily grabbed from the blocked IP list and added to the server level firewall using a script – stopping the connection at the network level before it ever reaches LiteSpeed Web Server.

That’s the kind of speed you can expect from LiteSpeed!

LSWS 5.0.3 Updated To Fix Forced SSL On Google Chrome Version 44.0.2403.89

Friday, July 24th, 2015

The latest Google Chrome version 44.0.2403.89 is currently redirecting all HTTP URLs to their HTTPS versions for certain web applications. This is caused by a bug in Chrome causing the “HTTPS: 1” header to be sent by default on every request. This is mainly causing problems for WordPress sites with the WooCommerce plugin installed as well as sites without HTTPS support. Because of WordPress and WooCommerce’s popularity, this bug may be affecting a large number of people.
(more…)

LiteSpeed Web Server Now Protected Against Shellshock

Thursday, September 25th, 2014

Shellshock“Bigger than Heartbleed.” That’s what people are saying about Shellshock (CVE-2014-6271 and CVE-2014-7169). But LiteSpeed Web Server is now the only web server protect against Shellshock. (more…)

Unique LiteSpeed Features Fight Symbolic Link Hacking

Tuesday, August 12th, 2014

Broken chain

LSWS boasts two unique features that block symlink hacks: a Follow Symbolic Link setting that cannot be overridden in .htaccess files and strict ownership checking. (more…)

LSWS 4.2.12 Fixes Newest OpenSSL Vulnerability

Monday, June 9th, 2014

This latest OpenSSL vulnerability affects all versions of OpenSSL, so it is suggested that all users upgrade to 4.2.12. (more…)

LiteSpeed Security Patch to Fix Heartbleed Bug in OpenSSL

Tuesday, April 8th, 2014

heartbleed logo

 

LiteSpeed Web Server 4.2.9 was released this morning as a security patch to address the OpenSSL Heartbleed bug. (more…)

Atomicorp Announces LiteSpeed Support for ModSecurity Rules

Friday, March 21st, 2014

Atomicorp logo

Atomicorp, developer’s of the Internet’s most trusted ModSecurity rules, has announced official support for LiteSpeed Web Server with their Realtime ModSecurity Rules. (more…)

Why Your HTTP Server Can’t Block SYN Floods (And What You Can Do)

Monday, July 1st, 2013

SYN floods are back in vogue. As DDoS-ing becomes more and more of an industry and the resources necessary for an effective attack become more accessible, SYN flooding has become more popular. Unfortunately, LiteSpeed Web Server (or Apache or Nginx or Lighttpd or Cherokee or Jetty or Tomcat or …) can’t help you with SYN floods. Here’s why and what you can do (including signing up for our free anti-DDoS proxy service): (Check our wiki for simple steps to hardening your kernel against SYN floods. Both the wiki and this article are geared toward hardening a Linux kernel only.) (more…)