reverse proxy
Title: at32 Reverse Proxy - Multiple HTTP Header Field Denial Of Service Vulnerability
Product : at32 Reverse Proxy
Version : v1.060.310
Vendor: http://www.at32.com/doc/rproxy.htm
Class: Boundary Condition Error
Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires
additional
WAF, Reverse Proxy setup[2] or web server IP restriction)
Exploit:
--------
Login as low privileged User (having the UserRole) and call the
following
- Earlier, unsupported versions may also be affected
Description:
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of the request
body. In certain circumstances, Tomcat did not process this message as a
request body but as a new request. This permitted an attacker to have
full control over the AJP message which allowed an attacker to (amongst
-j
On Mon, Mar 29, 2010 at 12:49 AM, Tim Brown <timb@nth-dimension.org.uk> wrote:
> Hi,
>
> I've identified a couple of security flaws affecting the Varnish reverse proxy
> which may allow privilege escalation. These issues were reported by email to
> the vendor but he feels that it is a configurational issue rather than a design
> flaw. Whilst I can partially see his point in that the administrative
> interface can be disabled, I'm not convinced that making a C compiler
> available over a network interface without authentication is sound practice,
sub-commands. Unknown if any hidden commands exist.
/SendHttp.cgi -- When authentication is enabled, this appears to be
protected. However in a default configuration with
no authentication, it could provide for interesting
reverse-proxy like manipulation of web-based
firewall admin interfaces.
Additionally, this script is used by the "Ping
Test" that WowWee sends to their servers to help
verify your internet connectivity and UPnP settings
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date 20100110
I. BACKGROUND
nginx is a HTTP and reverse proxy server written by Igor Sysoev.
Varnish is a state-of-the-art, high-performance HTTP accelerator.
Cherokee is a very fast, flexible and easy to configure Web Server.
thttpd is a simple, small, portable, fast, and secure HTTP server.
mini_httpd is a small HTTP server.
WEBrick is a Ruby library providing simple HTTP web server services.
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
when a client aborts a connection. This update corrects this flaw.
For reference the original advisory text is below.
A denial of service flaw was found in the Apache mod_proxy module when
it was used as a reverse proxy. A remote attacker could use this flaw
to force a proxy process to consume large amounts of CPU time. This
issue did not affect Debian 4.0 "etch". (CVE-2009-1890)
A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
- - Tomcat 7.0.x users should upgrade to 7.0.1 when released or apply this
patch:
http://svn.apache.org/viewvc?view=revision&revision=958911
- - All users may mitigate this flaw by running Tomcat behind a reverse
proxy (such as Apache httpd 2.2) that rejects invalid values for
Transfer-Encoding.
Credit:
This issue was discovered by Steve Jones
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42,
2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision
1179239 patch is in place, does not properly interact with use of (1)
RewriteRule and (2) ProxyPassMatch pattern matches for configuration
of a reverse proxy, which allows remote attackers to send requests
to intranet servers via a malformed URI containing an \@ (at sign)
character and a : (colon) character in invalid positions. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2011-3368
(CVE-2011-4317).
Previous versions of httpd do not properly handle Options=IncludesNOEXEC
in the AllowOverride directive, which allows local users to gain
privileges via a specially crafted .htaccess file combined with an exec
element in a .shtml file.
Additionally, when a reverse proxy is configured, a vulnerability in
mod_proxy could allow a remote attacker to cause a denial of service
(CPU consumption) via crafted requests.
Both of these issues have been addressed in this release.
Vulnerability Description
---------------------------------------
The Artofdefence Hyperguard Web Application Firewall operates as a
reverse proxy module between the clients and the web server to be
protected. All HTTP requests are checked before being forwarded to the
web server. By sending specially crafted HTTP POST requests an attacker
is able to trigger high memory usage on the WAF. By repeatedly sending
the request the available memory is exhausted resulting in a kernel
panic and therefore a denial of service.
http://www.phion.com/INT/products/websecurity/Pages/default.aspx]
Vulnerability Description
---------------------------------------
The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
]
Vulnerability Description
---------------------------------------
The radware AppWall Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. The web interface is
realised using the PHP programming language. Some of the functionality
- - 5.5.33 (released expected Monday 7 Feb 2011)
All users are recommended to upgrade to a Tomcat version with the
work-around. Users unable to upgrade can filter malicious requests via a
Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
reverse proxy) or other filtering as available.
Accept-Language headers that are compliant with RFC 2616 can not trigger
this bug. Therefore, filtering out all request with non-compliant
headers will provide protection against the DOS vulnerability.
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.
A vulnerability has been discovered and corrected in apache:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42,
2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly
interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern
matches for configuration of a reverse proxy, which allows remote
attackers to send requests to intranet servers via a malformed URI
containing an initial \@ (at sign) character (CVE-2011-3368).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
Denial of Service.
Background
==========
nginx is a robust, small and high performance HTTP and reverse proxy
server.
Affected packages
=================
Impact
======
A remote attacker using a vulnerable Squid as a proxy server or a
reverse-proxy server can inject arbitrary content into the "User-Agent"
HTTP client header, that will be processed by sarg, which will lead to
the execution of arbitrary code, or JavaScript injection, allowing
Cross-Site Scripting attacks and the theft of credentials.
Workaround
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1890 CVE-2009-1891
A denial of service flaw was found in the Apache mod_proxy module when
it was used as a reverse proxy. A remote attacker could use this flaw
to force a proxy process to consume large amounts of CPU time. This
issue did not affect Debian 4.0 "etch". (CVE-2009-1890)
A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations.
* SECURITY: CVE-2011-3607 (cve.mitre.org)
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
is enabled, could allow local users to gain privileges via a .htaccess
file.
* Sander de Boer discovered that the AJP proxy module (mod_proxy_ajp)
does not correctly handle POST requests that do not contain a request
body (CVE-2009-1191).
* The vendor reported that the HTTP proxy module (mod_proxy_http),
when being used as a reverse proxy, does not properly handle requests
containing more data as stated in the "Content-Length" header
(CVE-2009-1890).
* Francois Guerraz discovered that mod_deflate does not abort the
compression of large files even when the requesting connection is
its input when processing replies to EPASV and PASV commands. An attacker
could use this to cause a denial of service in the Apache child process.
(CVE-2009-3094)
Another flaw was discovered in mod_proxy_ftp. If Apache is configured as a
reverse proxy, an attacker could send a crafted HTTP header to bypass
intended access controls and send arbitrary commands to the FTP server.
(CVE-2009-3095)
Updated packages for Ubuntu 6.06 LTS:
|
