Consider blocking the Proxy header in default ht.access to protect against httpoxy

[Mark-H]

Summary

The httpoxy vulnerability (https://httpoxy.org/) might have an impact on MODX or extras, depending on server configuration. This can not be mitigated from PHP, but for apache a htaccess blob can help protect against it so we could include that in the default ht.access.

Observed behavior

Certain aspects of MODX or third party components might be vulnerable. While I don't think MODX or the extras would be to blame, we can help guide people a little bit by adding mitigation into the standard ht.access file in the download.

Expected behavior

The following snippet could be included in the distributed ht.access, which would then automatically be applied when people set up friendly urls with it:

<IfModule mod_headers.c>
   RequestHeader unset Proxy
</IfModule>

It'd probably need to have some comments explaining why it's necessary

Environment

The snippet above is specific to Apache, taken from the official recommendations at https://httpoxy.org/#fix-now which also has snippets for nginx and others.

[amdbuilder]

I would argue this issue should be handled by your host. Adding this seems like a slippery slope, at what point do you stop adding security fixes to the .htaccess and make the host accountable?

I know cPanel added the fix, so any cPanel hosts that update their systems will be protected. If they don't update I would consider looking elsewhere.

[Mark-H]

Agreed.