Archive for the ‘Anti-Hacking’ Category

The HTTPoxy Vulnerability has been taken care of by LiteSpeed, automatically!

Monday, July 18th, 2016

httpoxy

Today, HTTPoxy was discovered in the wild. This vulnerability affects some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations. So far, the PHP, Python, and Go languages are known to be affected by this.

The vulnerability is caused by conflicting namespaces. A CGI or FastCGI-like interface sets environment variables based on HTTP request parameters. These can override internal variables that are used to configure the application. Further explanation of this bug can be found on the httpoxy web page.

This page suggests that the best way to fix this issue is to block “Proxy” request headers, detailed instructions have been posted for various web servers and proxy servers.

However, manually updating server configurations can be complex, error prone, and time consuming. In these cases, careful testing must be done. Even with detailed instructions, it’s hard to predict how long it is going take to protect websites from the HTTPoxy vulnerability, or if it will ever happen.

With LiteSpeed, blocking these requests is as simple as updating to the newest version of LiteSpeed Web Server.

/usr/local/lsws/admin/misc/lsup.sh -v 5.0.19
or
/usr/local/lsws/admin/misc/lsup.sh -v 5.1.7

All LiteSpeed users will receive a notification within 24 hours regarding this new version and the vulnerability.

LiteSpeed is the only web server provider with the capacity to practically address security vulnerabilities with such speed.

For peace of mind, LiteSpeed should be your top choice.

To get these newest versions of LiteSpeed Web Server directly visit our LiteSpeed Web Server downloads page.

LiteSpeed Web Server Now Protected Against Shellshock

Thursday, September 25th, 2014

Shellshock“Bigger than Heartbleed.” That’s what people are saying about Shellshock (CVE-2014-6271 and CVE-2014-7169). But LiteSpeed Web Server is now the only web server protect against Shellshock. (more…)

Unique LiteSpeed Features Fight Symbolic Link Hacking

Tuesday, August 12th, 2014

Broken chain

LSWS boasts two unique features that block symlink hacks: a Follow Symbolic Link setting that cannot be overridden in .htaccess files and strict ownership checking. (more…)

LiteSpeed Security Patch to Fix Heartbleed Bug in OpenSSL

Tuesday, April 8th, 2014

heartbleed logo

 

LiteSpeed Web Server 4.2.9 was released this morning as a security patch to address the OpenSSL Heartbleed bug. (more…)

Closing the Loopholes: Disable CGI Override

Friday, March 15th, 2013

LiteSpeed Web Server features something that Apache does not — a way to disable CGI, permanently. (more…)