As the security researchers who discovered this issue
explicitly state:
Ineffective fixes in PHP
Userland PHP fixes don’t work. Don’t bother:
Using unset($_SERVER['HTTP_PROXY']) does not affect the value returned from getenv(), so is not an effective mitigation
Using putenv('HTTP_PROXY=') does not work either (to be precise: it only works if that value is coming from an actual environment variable rather than a header – so, it cannot be used for mitigation)
Therefore you
CANNOT have a PHP defense. What you CAN do, and as it is explicitly stated by them, is add a line in your .htaccess file:
RequestHeader unset Proxy early
You can add this header in the custom directives to put at the bottom of the file section in .htaccess Maker (if you're using .htaccess Maker). We cannot add this to the .htaccess Maker because this line only works if you are using mod_headers. If you are not using mod_headers we would have the choice of either letting your site break or deactivate this line, giving you a false sense of security. Neither is acceptable.
The same applies for NginX and the NginX Conf Maker. Please consult https://httpoxy.org for more infomration.
In any case, since this is a server-level issue the the fix should come from your host by adding a rule in their firewall / mod_security2 setup.
For what is worth Joomla! itself
IS NOT vulnerable to this attack. The same goes for most –if not all– of its extensions. There are only very few extensions which use the affected libraries. To put things in perspective, even when Akeeba Backup was using Amazon's SDK which does indeed use Guzzle it was an old version of Guzzle (version 3) which is not vulnerable to this attack. Last time I checked Amazon had not updated their SDK to use a newer version of Guzzle so even if an extension uses the official Amazon SDK they should be safe. I'd dare say that the existence of a Joomla! extension which is vulnerable to this attack is quite slim.
In fact, this entire attack is a very esoteric thing, with very small surface area, blown
WAAAAAAAAAAAAAAAAAAAAAAAY out of proportion by security researchers with a very good media team (paid for by the oncoming lucrative contracts by companies who got spooked by the media site). Same deal with all previous "OMG! The sky is falling!" named vulnerabilities such as Heartbleed and so on and so forth. Yeah, sure, it's a major issue if you manage to exploit it but a. it doesn't affect that many servers as the press site wants you to think b. it wasn't that easy to exploit anyway, so no, the sky is NOT falling and c. unless your host lives under a rock they've already mitigated it at the server level, where the mitigation actually belongs in.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
