Httpoxy Vulnerability

Thu 13 October 2016

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments such as PHP. Merchants websites may be vulnerable to this type of attack and should make sure their web servers are patched as recommended by the https://httpoxy.org website. 

The threat from a merchant's side is that

  1. a malicious user may set the HTTP Proxy header in a call to the merchant store with a proxy URL such as http://malicious.proxy.com 
  2. any subsequent API call such as processing a payment may be exploited by a vulnerable server into sending the call via the malicious proxy service. 
  3. The malicious proxy returns back a valid looking authorisation response and steels the credit card data

How do I fix the vulnerability

  1. Ensure all your software and services are patched
  2. Remove proxy headers as they arrive in to your webserver

Instructions on how to patch and configure your webserver are on the httpoxy website.

How does CityPay circumvent this

  1. We remove any proxy headers when we receive any HTTP request on our external web servers
  2. We do not use CGI environments on our payment services
  3. We regularly monitor and patch all of our infrastructure and services as part of our PCI compliance program

How do I check if I'm vulnerable

There are some examples on https://github.com/httpoxy 

Where do I find more information

The website https://httpoxy.org contains the best information regarding the vulnerability. 

+44 (0)1534 884000