Select Page

How to fix HTTPoxy vulnerability in cPanel, Plesk or other Linux / Windows servers

How to fix HTTPoxy vulnerability in cPanel, Plesk or other Linux / Windows servers

On 18th July, our security team was alerted to a series of vulnerabilities called HTTPoxy. It allows attackers to steal data from CGI enabled web servers.

As of this writing, patches only available for Litespeed, but we’ve identified ways to mitigate this vulnerability in Apache, Nginx, IIS and other web servers and proxies.

[ Update 21st July – cPanel released patches for Apache. Click here to know more ]

What is HTTPoxy?

HTTPoxy is a vulnerability with CGI environments, that allows an attacker to re-direct web traffic through an arbitrary proxy server. Here’s how it works:

Some web applications open outgoing HTTP connections, like fetching periodic weather data, posting data updates, etc. These connections are usually opened directly to the target servers.

However, a setting (aka variable) called “HTTP_PROXY” can be used to channel all outbound connections through a specific server. The HTTPoxy vulnerability allows attackers to remotely modify this setting to direct all traffic through a malicious proxy server.

how to fix HTTPoxy - How it works

The malicious proxy server can be used to gather sensitive data, or pass malware into the external servers after authentication.

Read : How to secure your server – A full check-list

Are your servers vulnerable?

To test if your servers are vulnerable, create a file called test.cgi in the “cgi-bin” directory of any domain. Put the following content in it, and give it 755 permissions, and the right ownership.

echo "Content-Type:text/plain"
echo ""

Then access the script with a “Proxy:” header, like this:

curl -H ‘Proxy: AFFECTED’ http://your-domain-name-here/cgi-bin/test.cgi 

If you see the output HTTP_PROXY=’AFFECTED’ then your server is vulnerable.

Is there an easier way to know?

A lot of web servers allow CGI applications with HTTP_PROXY headers. For eg. if you have a LAMP stack, chances are you’d be using Mod_PHP or PHP-FPM in its default config, which is to allow this header.

So, the rule of thumb is, if your server is CGI enabled, and is a default installation, consider your server vulnerable.

This is especially true if you are a web hosting provider. Control panels like cPanel/WHM, Plesk, DirectAdmin, etc. allow you to run PHP apps in CGI mode.

Read : How to keep hackers out of your web server


Are your servers vulnerable?

We can help you patch your servers, do a full-site security testing and secure your services from attacks.


Emergency services provided at $49/hr

Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.