Web service operators are being warned to mitigate against a vulnerability dubbed 'httpoxy', based on an issue dating back to 2001.
As detailed on the official website
- all major vulnerabilities these days requiring a logo, catchy name, and dedicated website on its own exclusive domain - the httpoxy vulnerability is easy to exploit: attackers taking advantage of the bug are, its discoverers claim, able to trick server-side applications into proxying outgoing requests, open arbitrary connections, or route through a malicious proxy.
The biggest surprise of httpoxy, though, is not its ease of exploitation or what attackers can do with it; it's the fact that the issue was first discovered in March 2001 as a bug in libwww-perl by Randal L. Schwartz. While this implementation was fixed, no research was ever done into whether the same issue affected other software: the same bug was spotted in the curl utility in April 2001, then lay dormant until July 2012 when the Ruby team spotted the potential for disaster when implementing http_proxy header support into their software. In November 2013 the issue was raised on the ngnix web server mailing list, and on the Apache web server development list in February 2015.
It wasn't until July 2016, though, that the bug was found in the wild and noted to be trivially exploitable across a range of software. 'The bug was lying dormant for years, like a latent infection: pox,
' explained Dominic Scheirlinck, one of the team responsible for disclosing the scale of the httpoxy vulnerability. 'We imagine that many people may have found the issue over the years, but never investigated its scope in other languages and libraries.
Affected software is being patched to remove the vulnerability, but anyone running server-side applications is advised to apply immediate mitigations
to ensure protection.