PageSpeed Module Update Addressing CVE-2016-3626
Google has released an important security notice regarding a vulnerability (CVE-2016-3626) in the PageSpeed Module. The recommendation was to immediately update to the newest version of PageSpeed as all previous versions were affected.
CVE-2016-3626 permits a third party to trick the PageSpeed module into making arbitrary HTTP requests on arbitrary ports and re-hosting the response. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resource and can also be used for cross-site scripting (XSS). XSS is one of the most commonly documented security vulnerability and enables attackers to inject client-side scripts into web pages as well as bypass access controls and tracking pages to reveal data as if another page of the same origin has requested it.
We, at FastComet address this by updating all of our shared hosting servers to the latest stable release of PageSpeed (ver. 220.127.116.11). The maintenance was performed without any downtime for our clients and their websites.
We have and will continue to stay on top of possible security vulnerabilities that could expose our clients to malicious activities.
The latest tips and news from the industry straight to your inbox!
Join 30,000+ subscribers for exclusive access to our monthly newsletter with insider cloud, hosting and WordPress tips!