alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Risk & Repeat: How bad is the httpoxy vulnerability?

Listen to this podcast

In this Risk & Repeat podcast, SearchSecurity editors analyze the httpoxy vulnerability and discuss why it took so long to uncover and address a 15-year-old security flaw.

The discovery of the software flaw known as httpoxy, which had been overlooked for more than a decade, has raised questions about the state of security vulnerability research.

The httpoxy vulnerability is a 15-year-old security flaw that affects CGI-based applications in several software languages, including PHP, Python and Go. The flaw, which was discovered by Dominic Scheirlinck, principal engineer at e-commerce technology firm Vend, enables direct man-in-the-middle attacks on server-side web applications and web services.

Scheirlinck explained that the httpoxy flaw was first discovered in 2001 in programming languages Perl and cURL. However, no one researched or reported how the vulnerability affected other languages like PHP and Python, and in 2012 developers avoided incorporating it in Ruby. "So the bug was lying dormant for years, like a latent infection: pox," Scheirlinck wrote. "We imagine that many people may have found the issue over the years, but never investigated its scope in other languages and libraries."

How serious is the httpoxy vulnerability? How did the flaw go unaddressed for so long? Why didn't security vendors discover it before Vend? In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more in a conversation about branded vulnerabilities, responsible disclosure and the state of security vulnerability research.

Next Steps

Risk & Repeat: Catching Pokémon GO security issues

Risk & Repeat: Breaking down the Clinton email server probe

Risk & Repeat: Project Zero finds more critical Symantec bugs