httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments such as PHP. Merchants websites may be vulnerable to this type of attack and should make sure their web servers are patched as recommended by the https://httpoxy.org website.
The threat from a merchant's side is that
- a malicious user may set the HTTP Proxy header in a call to the merchant store with a proxy URL such as http://malicious.proxy.com
- any subsequent API call such as processing a payment may be exploited by a vulnerable server into sending the call via the malicious proxy service.
- The malicious proxy returns back a valid looking authorisation response and steels the credit card data
How do I fix the vulnerability
- Ensure all your software and services are patched
- Remove proxy headers as they arrive in to your webserver
Instructions on how to patch and configure your webserver are on the httpoxy website.
How does CityPay circumvent this
- We remove any proxy headers when we receive any HTTP request on our external web servers
- We do not use CGI environments on our payment services
- We regularly monitor and patch all of our infrastructure and services as part of our PCI compliance program
How do I check if I'm vulnerable
There are some examples on https://github.com/httpoxy
Where do I find more information
The website https://httpoxy.org contains the best information regarding the vulnerability.