An old scripting vulnerability that impacts a large number of Linux distributions and programing languages allows for man-in-the-middle attacks that could compromise web servers. The vulnerability, which affects many PHP and CGI web-apps, was revealed Monday in tandem with the release of a bevy patches from impacted companies and platforms.
Researchers at SaaS distributor VendHQ named the vulnerability Httpoxy. It affects server-side web applications that run in Common Gateway Interface (CGI) or CGI-like environments, such as some FastCGI configurations, along with programing languages PHP, Python, and Go.
“This is a very serious flaw, if you’re one of the few still reliant on CGI and PHP for generating web pages,” said Dominic Scheirlinck, principal engineer VendHQ, and one of several researchers from the firm that discovered Httpoxy. The vulnerability is rated as “medium” by the firm and is easily exploitable.