2019-08-26 - 09:40:46 (UTC) Login
The Password Safe
You are here: Vulnerability responses  >  Httpoxy

Httpoxy

An old vulnerability reappeared and now it has a catchy name: Httpoxy.

The name is derived from "HTTP" the Internet protocol and the "pox" sickness.

A very simplified way to describe the vulnerability is that a malicious request to a server can force affected applications to communicate with wrong servers. This may enable further attacks on user data.

For detailed information refer to: https://httpoxy.org/

The vulnerability comes in different shapes and forms and could have been relevant for the passvault as PHP and Apache are both potentially affected.

Refer to:
CVE-2016-5385 for the PHP part and
CVE-2016-5387 for Apache HTTP server's contribution.

Good news for passvault: The application was not using the HTTP_PROXY environment variable to identify a proxy server for any outgoing communication. Why would there be any in the first place you might ask? The passvault application is separated into a frontend application and a backend - both running on the same server but they communicate via HTTP. But even if - there were no practical ways to exploit it.