Welcome to Centmin Mod Community
Become a Member

PHP Discuss HTTPoxy Security Vulnerability CVE-2016-5385

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jul 19, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Dedicated discussion thread for PHP-FPM Security Update HTTPoxy Vulnerability CVE-2016-5385 | Centmin Mod Community.

    Updating to fix HTTPoxy



    If you don't use centmin.sh menu option 23 submenu option 2 to update your centmin mod code, you can just use git command line if you already have Centmin Mod git environment setup via centmin.sh menu option 23 submenu option 1. Using these commands in SSH session are equivalent to using centmin.sh menu option 23 submenu option 2
    Code (Text):
    cd /usr/local/src/centminmod
    git stash
    git pull
    ./centmin.sh
    


    Checking if PHP-FPM is secure



    Update PHP Too



    Note PHP has also been updated with native HTTPoxy fixes in


    centmin.sh menu option 5 can be used to update your PHP versions by specifying the version number you want when prompted i.e. = 5.6.24

    More info at httpoxy


     
    Last edited: Jul 23, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also if you have manually configured nginx proxying yourself (not by default in centmin mod) be sure to set in your nginx vhost
    Code (Text):
    proxy_set_header Proxy "";
    
     
  3. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    4:35 PM
    1.9.10
    10.1.11
  4. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
  5. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
    We also need to add that parameter to every php pool, or only in nginx is enough?
     
  6. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
    Quick way to check if your site is vulnerably or not:
    Create a php file with this:
    PHP:
    <?php
    if (isset($_SERVER['HTTP_PROXY']) && $_SERVER['HTTP_PROXY'] == 'vulnerable') {
      echo 
    'Vulnerable!';
    }
    Now run this on your server:
    Code:
    curl --header "Proxy: vulnerable" http://example.com/httpoxy.php
    If you don't receive nothing, your are good. If you receive "Vulnerable!", you are not good.
     
  7. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    4:35 PM
    1.9.10
    10.1.11
    I didn't fixed but i receive nothing with your test ? So is it normal? @Revenge
     
  8. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
    I got that check from reddit and it worked for me. Before i added the mitigation, it showed my site as vulnerably.
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers the example is pretty much what centmin mod auto updated fix does at PHP-FPM Security Update HTTPoxy Vulnerability CVE-2016-5385 | Centmin Mod Community in terms of setting up
    Code (Text):
    fastcgi_param  HTTP_PROXY         "";
    

    in all centmin mod php include files just the regex match is different so can't use the test php file. I'll update centmin mod to fix that
    cheers !
    2 separate things, if you updated to centmin mod latest branch and re-ran centmin.sh the HTTPoxy fix would of deployed as per Beta Branch - security fix for php-fpm for http proxy header CVE-2016-5385 | Centmin Mod Community the other separate item is the php include file parameters.

    The separate item for testing the test php file outlined at PHP FastCGI Example | NGINX is to manually update your php.conf include files with changes outlined at update php.conf include file parameters · centminmod/centminmod@19d5f91 · GitHub Working on auto replacements for them but not done yet as regex replacements aren't my strong suit

    edit: fixed the php.conf include files syntax so you can use the example test php file as well Beta Branch - add fixphpfpm_includes function to fix php.conf syntax | Centmin Mod Community
     
    Last edited: Jul 20, 2016
  10. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Dominic's medium blog has more coverage of HTTPoxy vulnerability Dominic Scheirlinck — Profile — Medium
     
    Last edited: Jul 20, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    HTTPoxy - CGI "HTTP_PROXY" variable name clash - Red Hat Customer Portal

     
  12. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, some folks using Centmin Mod in their nginx vhosts have disabled the default php.conf include file in favour of using their own php extension location match - so if you have done such, you need to manually at the fix to your php extension location match context

    i.e.
    Code (Text):
        location ~ \.php$ {
            . . .
            fastcgi_param HTTP_PROXY "";
            . . .
        }
    


    however, for most Centmin Mod folks, if they use default php.conf include file instead then latest 123.08stable and 123.09beta01 updated code auto patch fixes all the include files with the relevant setting. It's reason a php.conf include file is used when nginx vhosts are auto generated via centmin.sh menu option 2 or 22 for easier mass updates in future :)
    Code (Text):
    include /usr/local/nginx/conf/php.conf;
    
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI ownCloud is also vulnerable due to 3rd party component Guzzle vulnerability ownCloud 9.0.4, 8.2.7, 8.1.9, 8.0.14 released | ownCloud.org
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nice info & discussion on whether HTTPS/SSL mitigates HTTPoxy httpoxy - does TLS/SSL mitigate the vulnerability of HTTP Proxy header? - Information Security Stack Exchange
     
  16. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
    As i understand, if we enable internal encryption, this problem would never happened, even without the mitigation?
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah i believe so for part of the request but that would mean fastcgi_pass or proxy_pass via https instead of 127.0.0.1PORT
     
  18. Revenge

    Revenge Active Member

    469
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +354
    Local Time:
    2:35 PM
    1.9.x
    10.1.x
    And probably that would slowdown the webserver.
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:35 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  20. Xon

    Xon Active Member

    173
    61
    28
    Nov 16, 2015
    Ratings:
    +229
    Local Time:
    10:35 PM
    1.15.x
    MariaDB 10.3.x
    Fyi, XenForo in it's default configuration shouldn't be vulnerable. Who knows about add-ons :p