1 Topic by 4jamesallen

  • 4jamesallen
  • Member
  • Offline
  • Registered: 2015-08-25
  • Posts: 10

Topic: Vulnerable to httpoxy?.. a CGI application vulnerability for PHP

======== Required information ====
- iRedMail version: 0.9.5-1
- Linux/BSD distribution name and version: Centos 7.2.1511
- Store mail accounts in which backend: MySQL
- Web server: Nginx
====

Is iRedMail vulnerable to httpoxy? I know my machine is using Nginx and I am looking throughout the "/etc/nginx/templates" directory for any opportunities to possibly patch fastcgi parameters or wsgi references. So far I've found possibilities in:

/etc/nginx/templates/iredadmin.tmpl
/etc/nginx/templates/php-catchall.tmpl
/etc/nginx/templates/roundcube.tmpl
/etc/nginx/templates/sogo.tmpl (maybe?.. I'm unfamiliar with it.)

Any suggested course of action?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Vulnerable to httpoxy?.. a CGI application vulnerability for PHP

The point is: your web application uses HTTP_PROXY variable. If your web applications don't use HTTP_PROXY at all, it's ok.

I will update Nginx templates to use the patch by default.

fastcgi_param HTTP_PROXY '';