Earlier this week is was brought to my attention that there is relatively new exploit effecting people using the PROXY header. Providing support for WP OAuth Server, I can say that there is a lot of systems using the PROXY header. Some hosts just use it by default.
The exploit is known as Httproxy. You can read more about how it may affect you. I was going to add a feature into the plugin itself that checked for this but I found that to be too intrusive to the core. Last time WP OAuth Server enforced standards to protect the users, I was bombarded with nasty support tickets for 2 weeks. The majority of the people have spoken and I have learned that I should not enforce anything but that does not mean that I should stand by and watch WP OAuth Server be used insecurely without any attempt to at least speak my peace.
About a year ago I wrote a post about Best Practices and Recommendations when you use WP OAuth Server. I highly suggest you take another read refresh yourself. Below are some suggestions to help you stay safer when using WP OAuth Server.
I can not stress enough how important it is to only communicate with WP OAuth Server over a HTTPS connection. Using HTTPS is spec for OAuth2 and is required to be used. The lack of HTTPS can easily result in credentials being stolen from the exchange of data in the headers and body.
For the love of all things WordPress and your sanity (and mine), stay up to date with WordPress and WP OAuth Server. I test all releases on the future beta versions of WordPress. I recieve or find area’s of vulnerability at least once a month and staying up to date is the best way to ensure that you are not effected.
This, by far is the biggest killer to security. The idea that “it won’t happen to me” is a sure-fire way to get hacked, exploited and lose a lot or even lose everything.
I am open 24 hours a day (although I may not answer right away) so if you have any questions, concerns or what me to just double-check on your awesome idea with WP OAuth Server, please contact me via a support ticket or at the WordPress forums.
Please stay safe and updated!
Thanks
Justin Greer
Lead Engineer and Security Expert