freistilbox secured against httpoxy attack
Published 2016-07-18 by Jochen Lillich
Today Drupal security advisory SA-CORE-2016-003 was published, announcing a highly critical security vulnerability affecting Drupal 8:
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org.
In order to mitigate this vulnerability, we have applied specific changes to our freistilbox infrastructure. Our Edge Routers will now remove any malicious HTTP header trying to inject external proxy server addresses.
Despite these security improvements in our hosting platform, we recommend that customers upgrade their Drupal 8 web applications as soon as possible. Drupal 8.1.7 is already available and fixes the vulnerable library.