Topic: HTTPOXY Vulnerability
==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
====
A CGI application vulnerability
for PHP, Go, Python and others
httpoxy.org
Check your Server
Create a php file with the name httpoxy.php with this and put it on your public html:
<?php
if (isset($_SERVER['HTTP_PROXY']) && $_SERVER['HTTP_PROXY'] == 'vulnerable') {
echo 'Vulnerable!';
}Run this on your server:
curl --header "Proxy: vulnerable" http://example.com/httpoxy.phpIf you don't receive anything, your are good.
If you receive "Vulnerable!", you are not good.
How to Protect Your Server Against the HTTPoxy Vulnerability
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.