New flaws that could be exploited by hackers have been uncovered in the Common Gateway Interface (CGI) widely used by web sites. According to the site https://httpoxy.org/ the httpoxy set of vulnerabilities affect application code running in CGI, or CGI-like environments, including PHP, Go, Python and others.
According to Christopher Fearon, director of security research at Black Duck Software, which helps organisations to identify, secure and manage open source software in the enterprise:
“It’s extremely likely that these flaws will lead to attacks since the flaw is easy to exploit. But mitigation is quick to perform, although many separate pieces of open source software are affected and must be patched separately.”
“Simply block or remove the ‘Proxy’ request headers as early as possible, preferably on the application firewall or directly on the webserver. All external requests from any webserver should be locked down and monitored. Outward access should be granted on a whitelist basis. The good news is that vendors (such as lighttpd) are already implementing updates.”
He continued: “Sites running over HTTPS are not vulnerable, which is yet another reason why all sites should implement HTTPS.”