Weblog

18 July 2016, 20:49

There is some fuzz going on about httpoxy. According to the httpoxy website, it's a 'set of vulnerabilities that affect application code running in CGI, or CGI-like environments'. If you ask me, it's just another blindly-trusting-user-input stupidity.

So, what's going on. It's all about a non-official HTTP header named 'Proxy'. Some HTTP client applications or libraries seem to blindly trust its content and will use the proxy mentioned in it to send HTTP requests. If your server-side application uses such vulnerable client software to make a HTTP request (now called back-end request), an attacker can send a Proxy header in his own HTTP request, to make the back-end request to be send to his own server. That back-end request may contain confidential information.

How to block such request? Since it's not an official HTTP header, no sane client will send it. Simply block any such request (or ban the sending client) via the UrlToolkit:

UrlToolkit {
  ToolkitID = block_httpoxy
  Header Proxy .* DenyAccess
}
18 July 2016, 17:46
Apply the following patch to Hiawatha v10.3 to make it compile with mbed TLS v2.3.0.
--- src/rproxy.h	2015-07-13 15:21:34.000000000 +0200
+++ src/rproxy.h	2016-07-18 17:29:46.813754000 +0200
@@ -19,6 +19,7 @@
 #include 
 #include 
 #ifdef ENABLE_TLS
+#include "mbedtls/platform.h"
 #include "mbedtls/ssl.h"
 #endif
 #include "ip.h"
--- src/tls.h	2016-02-14 14:45:44.000000000 +0100
+++ src/tls.h	2016-07-18 17:29:35.797754000 +0200
@@ -18,6 +18,7 @@
 
 #include 
 #include "liblist.h"
+#include "mbedtls/platform.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/version.h"
--- src/wigwam.c	2016-04-30 12:41:04.000000000 +0200
+++ src/wigwam.c	2016-07-18 17:30:12.677754000 +0200
@@ -33,6 +33,7 @@
 #include "filehashes.h"
 #include "mbedtls/md5.h"
 #ifdef ENABLE_TLS
+#include "mbedtls/platform.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/x509.h"
 #endif

Place this patch in a file called hiawatha-10.3.patch and use the following command from within the Hiawatha source directory to apply the patch:

patch -p0 < hiawatha-10.3.patch

After applying the patch, recompile Hiawatha.

The biggest change in this release is the way the PreventCSRF, PreventSQLi and PreventXSS options work. In previous release, those options could only be turned on of off. The idea of those features was to only turn them on when a web application was vulnerable for such attack or there was a serious suspicion it was. However, many people turned them on, even when the web application was very secure. This led to issues, specially with the PreventSQLi option, because requests that would lead to an SQL injection on a vulnerable application were blocked. But since the application was not vulnerable for SQL injection, the block was unjust.

To make those options more useful, you can now make Hiawatha run them in detect-mode. Hiawatha will look for attacks, report them (via logfiles and the Monitor), but won't block any request. You can use this to learn what kind of attacks take place at your website, the amount of attacks and, most important, how many of those attacks are actual attacks or only match the pattern of an attack.

The Let's Encrypt script and the support for it has also been improved. The script itself now supports revocation of a certificate. Hiawatha will now also ignore the RequireTLS setting for requests to /.well-know/acme-challenge/, because the Let's Encrypt CA server will request a verification file from that directory during certificate request or renewal via HTTP. A redirect to HTTPS will disrupt that process.

The Hiawatha v10.2 source package contains a script which can be used to retrieve a Let's Encrypt certificate. A few changes have been made to the AccessList and PasswordFile option to make the obtaining of a Let's Encrypt certificate easy. Consult the manual page for the details. The script can be found in the source package in the directory 'extra'.

12 April 2016, 08:03

"The small but secure Hiawatha web server provides an appealing alternative to the complex Apache and other alternatives."

Security on the Internet is vital. The Hiawatha web server is a small (and free) web server that subscribes to the principle "security by default."

The upcoming edition of the Admin magazine will contain a story about Hiawatha. Many thanks to Hans-Cees Speel.