Our software messageconcept PeopleSync uses the Microsoft Internet Information Services to publish contact data via the CardDAV protocol over HTTPS. The Austrian national Computer Emergency Response Team (CERT) published a bulletin regarding a critical security vulnerability in CGI this week. CERT recommends to change to change the webserver configuration immediately to hide the following information in the HHTP header for script access:
- Proxy
- Proxy_Host
- Proxy_Port
- Proxy_User
- Proxy_Pass
- Proxy_Password
As PeopleSync uses FastCGI, CERT recommends to apply the following rules in the apphost.config file to filter some environment variables:
<rewrite>
<rules>
<rule name=”Erase HTTP_PROXY” patternSyntax=”Wildcard”>
<match url=”*.*” />
<serverVariables>
<set name=”HTTP_PROXY” value=”” />
</serverVariables>
<action type=”None” />
</rule>
</rules>
</rewrite>
</system.webServer>
In general, CERT recommends to patch all software components with the latest fixes. messageconcept also recommends to update PeopleSync to version 16.1. Besides new functionality, the new release supports PHP 5.6 to patch security flaws in PHP.