2022-01-27 - 15:18:56 (UTC) Login
The Password Safe
An old vulnerability reappeared and now it has a catchy name: Httpoxy.
The name is derived from "HTTP" the Internet protocol and the "pox" sickness.
A very simplified way to describe the vulnerability is that a malicious request to a server can force affected applications to communicate with wrong servers. This may enable further attacks on user data.
For detailed information refer to: https://httpoxy.org/
The vulnerability comes in different shapes and forms and could have been relevant for the passvault as PHP and Apache are both potentially affected.
Good news for passvault: The application was not using the HTTP_PROXY environment variable to identify a proxy server for any outgoing communication. Why would there be any in the first place you might ask? The passvault application is separated into a frontend application and a backend - both running on the same server but they communicate via HTTP. But even if - there were no practical ways to exploit it.