Post by Lee Sharp on Jul 18, 2016 18:17:08 GMT
It is no fun when these big exploits come out. The initial reports can be hard to parse, and the later reports are so full of terror and hype that there is no room left for content. And the advice is always the same... "Upgrade to the latest and greatest and biggest version..." So when a new risk comes out it can take a while to figure out if it is even a risk...
Here is some data on it...
access.redhat.com/security/vulnerabilities/httpoxy
httpoxy.org/
www.cyberciti.biz/faq/fix-httpproxy-cgi-application-vulnerability-for-linux-unix-apache-nginx-python-php/
The short form is that the vulnerability can cause your server to use an untrusted third party as a proxy for all redirected web requests. So to even be an issue, your web server has to be surfing the web.
And actually this happens. The old code to check to see if m0n0wall was on the latest version pulled information from the m0n0.ch website. That code is not in SmallWall right now, but it is on the list of things to put back in. However, there is no code in SmallWall, m0n0wall, or t1n1wall to download a new image! So, even if it worked, and the code was still in SmallWall (It is still in t1n1wall) the worse that could happen is that an attacker could hide a new version from you...
That said, all the test code I can find shows that it does not work on SmallWall. See, old code is not always a bad thing. SmallWall uses code that does not have a lot of the features being exploited today. Yes, unpatched old code has vulnerabilities. But they can be patched. And that is what I was looking at today; seeing if I had to scramble and patch some old code. And we are not vulnerable by any tests I have tried both under http and https.
So now back to trying to update mini_httpd and ez-ipupdate. (And my day job...)
Here is some data on it...
access.redhat.com/security/vulnerabilities/httpoxy
httpoxy.org/
www.cyberciti.biz/faq/fix-httpproxy-cgi-application-vulnerability-for-linux-unix-apache-nginx-python-php/
The short form is that the vulnerability can cause your server to use an untrusted third party as a proxy for all redirected web requests. So to even be an issue, your web server has to be surfing the web.
And actually this happens. The old code to check to see if m0n0wall was on the latest version pulled information from the m0n0.ch website. That code is not in SmallWall right now, but it is on the list of things to put back in. However, there is no code in SmallWall, m0n0wall, or t1n1wall to download a new image! So, even if it worked, and the code was still in SmallWall (It is still in t1n1wall) the worse that could happen is that an attacker could hide a new version from you...That said, all the test code I can find shows that it does not work on SmallWall. See, old code is not always a bad thing. SmallWall uses code that does not have a lot of the features being exploited today. Yes, unpatched old code has vulnerabilities. But they can be patched. And that is what I was looking at today; seeing if I had to scramble and patch some old code. And we are not vulnerable by any tests I have tried both under http and https.
So now back to trying to update mini_httpd and ez-ipupdate.
(And my day job...)
