Next Page >>
Proxy Server
I. BACKGROUND
Sun Microsystems Inc's Java System is a collection of server
applications bundled together. One such server application included is
the Web Proxy Server. This software implements proxy services including
HTTP and SOCKSv5.
For more information, visit
http://www.sun.com/software/products/web_proxy/home_web_proxy.xml.
By Michael Brooks
Vulnerability type: Multiple Remote System commands execution.
Software: Anon Proxy Server
Home page:http://sourceforge.net/projects/anonproxyserver/
Affects version: 0.100
It is possible to access the Sawmill setup page in order to reset the
Sawmill root username and password with a standard user account.
A standard user is also able to gain access to more functions within
the interface (e.g. regarding profiles) just by changing local
JavaScript variables, e.g. through an intercepting proxy server.
3) XSS / CSRF
There are many parameters which are not properly sanitised and
vulnerable to XSS. Furthermore no protection against CSRF is in place
3proxy ( http://3proxy.ru/ ) is multi-platform (Windows, Linux, Unix)
multi-protocol proxy server with abilities to mange traffic flows and
bandwidths, convert requests between different proxy types,
authenticate, authorize, control, limit and account users access and
more.
3proxy 0.5.3j version was released, to address double free()
vulnerability in FTP proxy module (ftppr) reported by Venustech AD-LAB
(CVE-2007-5622). Vulnerable 3proxy versions are 0.5 - 0.5.3i. Current
10.10.10.0 255.255.255.0" inside is present in the configuration, then
only crafted HTTPS requests coming from the 10.10.10.0/24 network may
represent an issue for the device.
No other HTTP(s) services are known to be affected, such as HTTP
Inspection, HTTP/HTTPS Proxy Server, and HTTP redirect.
To confirm if the HTTPS server is enabled, log in to the FWSM and issue
the CLI command "show running-config | include http". If the output
contains both "http server enable" and "http <source IP> <address mask>
<source interface>", then the device has a vulnerable configuration. The
BACKGROUND
The Hewlett-Packard Company thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this to security-alert@hp.com.
Note: The httpd.tkd module is used by several OpenView Configuration Management (CM) and OpenView Client Configuration Management (CCM) Infrastructure components. These components include OS Manager, Policy Server, Portal, Patch Manager, Proxy Server, Distributed Configuration Server and Multicast Server. There may be more than one httpd.tkd module on a system. Each must be replaced. Please refer to the patch documentation for further information.
Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed
AFFECTED VERSIONS
- Kaspersky Business Space Security
- Kaspersky Work Space Security
- Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky® Anti-Virus for Microsoft ISA Server
- Kaspersky® Anti-Virus for Proxy Server
- Kaspersky® Anti-Virus for Check Point Firewall-1
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- Kaspersky® Anti-Virus for Linux File Server
======================================================================
Anon Proxy Server <= 0.102 remote buffer overflow
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: remote buffer overflow
Status: patch available
------------------------------
Background
==========
Sarg (Squid Analysis Report Generator) is a tool that provides many
informations about the Squid web proxy server users activities: time,
sites, traffic, etc.
Affected packages
=================
Dear lee.e.rian@census.gov,
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
Conclusions and real life results
----------------------------------
This attack can make the web server unresponsive in a short period of
time (under 2 minutes) with a very small number of requests.
Also, this attack doesn't leave any obvious tracks in the logs (only a
bunch of POST requests) and can be executed through a proxy server.
Some operating systems will handle this condition very badly.
For example in one case (a FreeBSD 7.1), the network stack completely
crashed and the server was unreachable from the local network.
I had to manually restart it from the console.
The FTP proxy used in Apple's Airport Express, Airport Extreme, Time Capsule and possibly elsewhere doesn't check the client provided address and port given by the FTP PORT command against the IP address of the connecting client, or against the use of privileged ports. (The FTP PORT command is used by a FTP client to tell an FTP server which address and data port to initiate the data connection on.) The FTP proxy is used to provide assistance to clients operating in NAT environments served by the Apple products. FTP servers running behind a NAT with this assistance can have addresses in the command channel rewritten for them so that external clients can reach them when operating in passive mode. The ALG operates as a proxy server, assuming responsibility for connections to the FTP server, and must therefore also handle and modify rewriting of the PORT command. It looks like it might be ftp-proxy from PF.
The effect of this problem is to allow anybody with access to the FTP port forwarded on the exterior side of an Apple Airport product that offers NAT to internal clients, which for a publicly-accessible FTP server is the big bad world, to induce an FTP server operating behind a NAT to send data to arbitrary addresses and ports. This is true even if the FTP server is configured to operate more securely, since it sees connections from the NAT's exterior interface, not the connecting client. This is useful for bouncing anonymous port scans off the victim NAT, or if data is available or can be written to and then read from the FTP server, potentially for anonymous attacks, spam, news floods, and other such badness. Any trust relationship and/or security implied or assumed by a NAT is also gone, since the PORT command can also specify private addresses, inside the NAT, for victimisation. Best of all, the gateway itself makes no log entry concerning FTP connections that have been run through the proxy.
Workarounds: do not use FTP; do not trigger the use of the ALG (FTP proxy) by explicitly using ports other than 21 on the inbound port mapping. If you can't do those things, you can avoid the worst effects of this attack by disabling FTP uploads that can later be downloaded by anonymous users.
Apple likes to keep secrets for the protection of its customers. Since the reasonable release of this advisory removes that protection, confidential information vouchsafed to me can be safely disclosed with no ill effects. Apple has a fix, and according to its last seemingly automatic template message, they are still testing it and do not know precisely when it will be released. This is confidential information. DO NOT DISCLOSE!
Advisory history:
Edit a normal access log and set the request method to an overly long
string.
Edit a normal useragent log and set the useragent field to an overly
long string or send a request to the Squid proxy server passing an
overly long string as useragent in the HTTP header.
---------
Solution:
Due to this vulnerability, an attacker can control the execution path
remotely.
Impact:
--------
Arbitray code can be executed on the proxy server from remote.
On a normal setup the HTTP proxy is running on the same machine as the 4760
management system.
Due to this vulnerability an attacker can gain access to administrative
functions of the PBX and to the internal network, possibly a DMZ.
Problem Description:
A stack-based buffer overflow in sarg (Squid Analysis Report Generator)
allowed remote attackers to execute arbitrary code via a long Squid
proxy server User-Agent header (CVE-2008-1167).
A cross-site scripting vulnerability in sarg version 2.x prior to
2.2.5 allowed remote attackers to inject arbitrary web script or
HTML via the User-Agent heder, which is not properly handled when
displaying the Squid proxy log (CVE-2008-1168).
> misconfiguration that can result in a minor security issue with web
> applications.
Interesting research, Tavis!
Have you looked at what a proxy-server would do with this type of
request? Most fail with "requested URL could not be retrieved" error but
some report the URL back to the browser. Squid in particular does but it
filters HTML characters.
Also if the proxy server is on a regular server (vs a content engine)
Workaround
Always require password authentication, even for proxy connections
Alternatively, disable proxy authentication mode and enforce this policy by configuring the SecureSphere Database Security Gateway to alert when users are granted proxy access
The SecureSphere Database Security Gateway can also enforce all proxy account connections to the database originate from the proxy server IP address
Discovered by:
Amichai Shulman - Imperva Co-Founder, CTO and Head of Imperva’s Application Defense Center (ADC).
> Not to step in to the middle of this, but I once worked for an employer
with what I
> considered the best way of stopping attacks cold: a proxy server that
prompted you for your
> credentials when you went to an external web site and gp settings that
disabled the ability
> to save your username/password locally as well as tight settings on the
systems to prevent
> pretty much anything from being installed or modified. So everytime you
opened up a brand
A Denial of Service vulnerability has been reported in Squid.
Background
==========
Squid is a multi-protocol proxy server.
Affected packages
=================
-------------------------------------------------------------------
Where: Remote
======================================================================
3) Vendor's Description of Software
"Ziproxy is forwarding, non-caching, compressing HTTP proxy server.
Basically it squeezes images by converting them to lower quality JPEGs
or JPEG 2000 and compresses (gzip) HTML and other text-like data.".
Product Link:
http://ziproxy.sourceforge.net/
Due to this vulnerability, an attacker can control the execution path
remotely.
Impact:
--------
Arbitray code can be executed on the proxy server from remote.
On a normal setup the HTTP proxy is running on the same machine as the 4760
management system.
Due to this vulnerability an attacker can gain access to administrative
functions of the PBX and to the internal network, possibly a DMZ.
====[ SYNOPSIS ]=====================================================
VideoCache is a Squid URL rewriter plugin written in Python for
bandwidth optimization while browsing video sharing websites. Version
1.9.2 allows a user with the privileges of the Squid proxy server to
append semi-arbitrary data to arbitrary files with root privileges, upon
the administrator's execution of the 'vccleaner' utility.
====[ DISCUSSION ]===================================================
[6] Proof-of-concept exploitation tool for the ABO2 exercise (compiled
with Borland BCC32).
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=vp_abo2_launcher.c
[7] Multiple security vulnerabilities in the HTTP TRACE, WebDAV and
Digest Authentication Methods in the Sun Java System Web Server and Sun
Java System Web Proxy Server.
http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1
[8] Proof-of-concept exploitation tool for the Java System Webserver
buffer overflow when running on a Virtual PC guest.
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=advisory&page=CORE-2009-0803&file=sunjavawebserver-webdav-vpc-poc.zip
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.
Background
==========
nginx is a robust, small and high performance HTTP and reverse proxy
server.
Affected packages
=================
-------------------------------------------------------------------
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20100110
I. BACKGROUND
nginx is a HTTP and reverse proxy server written by Igor Sysoev.
Varnish is a state-of-the-art, high-performance HTTP accelerator.
Cherokee is a very fast, flexible and easy to configure Web Server.
thttpd is a simple, small, portable, fast, and secure HTTP server.
mini_httpd is a small HTTP server.
WEBrick is a Ruby library providing simple HTTP web server services.
Debian-specific: no
CVE Id(s) : CVE-2007-5034
Debian Bug : 443891
Kalle Olavi Niemitalo discovered that elinks, an advanced text-mode WWW
browser, sent HTTP POST data in cleartext when using an HTTPS proxy server
potentially allowing private information to be disclosed.
For the stable distribution (etch), this problem has been fixed in version
0.11.1-1.2etch1.
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1612
In DSA 1646-1, an update was announced for a denial of service
vulnerability in squid, a caching proxy server. Due to an error in
packaging and in testing, the updated packages did not correct the
weakness. An updated release is available which corrects the error.
For reference, the original advisory text follows.
A weakness has been discovered in squid, a caching proxy server. The
could exploit this to perform script injection attacks using XBL bindings.
(CVE-2009-1308)
Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that
Thunderbird did not properly handle error responses when connecting to a
proxy server. If a user had JavaScript enabled while using Thunderbird to
view websites and a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2009-1836)
It was discovered that Thunderbird could be made to run scripts with
Vulnerability description:
--------------------------
1) An attacker is able to access the administration interface from the WLAN by
manipulating the "Host:" header and Request-URI in the HTTP GET request to the
proxy server running on the AMG-2000. It is possible to specify arbitrary IP
addresses (such as 127.0.0.1 or IPs from the internal network of the
management "private LAN" port) which an attacker is then able to access. The
squid proxy runs on port 2128 by default on the AMG-2000.
Next Page>>
|
