Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

2009-02-23T00:00:00
ID VU:435052
Type cert
Reporter CERT
Modified 2009-09-28T18:58:00

Description

Overview

Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections.

Description

HTTP Host Headers are defined in RFC 2616 and are often used to by web servers to allow multiple websites to share a single IP address.

From RFC 2616:
_A "host" without any trailing port information implies the default port for the service requested (e.g., "80" for an HTTP URL). For example, a request on the origin server for <<http://www.w3.org/pub/WWW/>> would properly include:

GET /pub/WWW/ HTTP/1.1
Host: www.w3.org

A client MUST include a Host header field in all HTTP/1.1 request messages . If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value. An HTTP/1.1 proxy MUST ensure that any request message it forwards does contain an appropriate Host header field that identifies the service being requested by the proxy. All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message which lacks a Host header field._

Transparent proxy servers intercept and redirect network connections without user interaction or browser configuration. Some transparent intercepting proxy implementations make connection decisions based on the HTTP host-header value. Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from. An attacker may be able to forge HTTP host-header (or other HTTP headers) via active content. A proxy server running in intercepting ("transparent") mode that makes connection decisions based on HTTP header values instead of source and destination IP addresses is vulnerable due the ability of a remote attacker to forge these values.

To successfully exploit this issue, an attacker would need to either convince a user to visit a web page with malicious active content or be able to load the active content in an otherwise trusted site. Note that this vulnerability only affects proxy servers that run in transparent mode and browser same origin policies prevent attackers from re-using authentication credentials (cookies, etc) to obtain further access. This issue does not apply to proxy servers running in reverse mode.

More information about this issue can be found in the Socket Capable Browser Plugins Result In Transparent Proxy Abuse paper.


Impact

An attacker may be able to make full connections to any website or resource that the proxy can connect to. These sites may include internal resources such as intranet sites that would not usually be exposed to the Internet.


Solution

Update
When possible, administrators are recommended to obtain updated software. See the systems affected section of this document for a partial list of affected vendors. In network architectures using NAT, fixing this issue may not be feasible. Administrators are encouraged to review the below workarounds.

Administrators can determine if their proxy server is vulnerable by reading the "Reproduction Instructions" section of the Socket Capable Browser Plugins Result In Transparent Proxy Abuse paper.


Workarounds for Administrators

It is possible to limit the impact of this vulnerability by restricting access in several ways. None of the below workarounds solve the issue, but they will significantly reduce the impact.

* Because an attacker can not access HTTP cookies, internal services that use an authentication scheme (such as a username/password) are not likely to be affected.
* Network designs that have limited connectivity between the proxy and internal services will prevent an attacker from obtaining direct access to these services via the proxy. Administrators should consider using access control lists or firewall rules to prevent direct connections between internal servers and proxy servers.
* Administrators should limit the CONNECT method to only the minimum required port range (usually `443/tcp`).
* Limiting the range of ports a proxy server can communicate on will limit what resources an attacker can target. When possible, router or switch access control lists should be configured to prevent HTTP proxy servers using ports or protocols that they should not normally need access to. HTTP proxy servers do not usually need to communicate with [well known ports](&lt;http://en.wikipedia.org/w/index.php?title=List_of_TCP_and_UDP_port_numbers&oldid=266934839&gt;) other than `80/tcp` and `443/tcp`.

Workarounds for users

* To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser. Mozilla Firefox users should consider using the NoScript plugin to whitelist sites that can execute dynamic content. See the Securing Your Web Browser document for more information about secure browser configurations.

Workarounds for proxy server vendors

Although these workarounds will not address the underlying issue, vendors who distribute HTTP proxy servers are encouraged to implement them to mitigate future vulnerabilities.

* In default configurations the proxy server should only be able to connect to a limited number of well known ports. 
* The CONNECT method should only be allowed for traffic that uses destination port `443/tcp`, unless the proxy is designed to act as a TCP tunnel on all ports.

Vendor Information

435052

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Notified: December 09, 2008 Updated: September 11, 2009

Statement Date: December 10, 2008

Status

Affected

Vendor Statement

On Mac OS X v10.5, the Parental Controls Internet content filter is susceptible to this issue. This issue does not affect Mac OS X v10.6.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Astaro __ Affected

Updated: April 30, 2009

Statement Date: April 30, 2009

Status

Affected

Vendor Statement

Astaro Customers are only vulnerable if users allow java or activex, and using the proxy in transparent mode and have internal web servers which are not password protected.

We are currently working on a solution.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Blue Coat Systems __ Affected

Notified: January 02, 2009 Updated: March 04, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <https://hypersonic.bluecoat.com/support/securityadvisories/ProxySG_in_transparent_deployments> for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Initiative Japan __ Affected

Updated: April 13, 2009

Status

Affected

Vendor Statement

See <http://www.seil.jp/english/seilseries/security/2009/04091700.php> for more information.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QBIK New Zealand Limited Affected

Notified: January 15, 2009 Updated: January 21, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SmoothWall __ Affected

Notified: December 09, 2008 Updated: February 20, 2009

Status

Affected

Vendor Statement

SmoothWall products that include SmoothGuardian (SchoolGuardian, NetworkGuardian, and our Firewall prouct that have SmoothGuardian installed upon them) are vulnerable but the workaround is to configure Guardian to block their internal web servers without passwords using hostname and IPaddress. The vulnerability only is real if users allow java or activex, are using transparent proxying, and have internal web servers not password protected.

We are also working on a hostname validation system which will actually increase the security beyond a normal system by checking the destination hostname against the destination IP which will protect against certain cache or host file poisoning.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Squid Affected

Notified: January 02, 2009 Updated: February 23, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ziproxy __ Affected

Notified: January 13, 2009 Updated: August 07, 2009

Statement Date: August 07, 2009

Status

Affected

Vendor Statement

For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:

ConventionalProxy = false
AllowMethodCONNECT = false

When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
AllowMethodCONNECT

Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.

In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.

In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.

Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.

Vendor Information

Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.
Details are included in the software documentation

Borderware Technologies __ Not Affected

Notified: December 09, 2008 Updated: February 03, 2009

Statement Date: February 02, 2009

Status

Not Affected

Vendor Statement

Our detailed investigation of the vulnerability in transparent proxy servers using the HTTP Host field resulting in potential cache poisoning has indicated that Borderware's products are not susceptible to this form of attack. More details on this can be obtained by contacting Borderware.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies __ Not Affected

Notified: December 09, 2008 Updated: February 20, 2009

Status

Not Affected

Vendor Statement

Check Point products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc. __ Not Affected

Notified: December 09, 2008 Updated: March 12, 2009

Status

Not Affected

Vendor Statement

The Cisco PSIRT has been investigating and has not found any vulnerable products. If we determine that any of our products are vulnerable, information will be available at: <http://www.cisco.com/go/psirt/>. Please direct any questions to psirt@cisco.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Access control lists can be configured to mitigate this vulnerability. The below ACLs limit access allow a proxy server to only connect make outbound connections to TCP port 80.

access-list 111 permit tcp [ip address of proxy] any eq 80
access-list 112 permit tcp any any gt 1023 established

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Not Affected

Notified: December 09, 2008 Updated: December 17, 2008

Statement Date: December 17, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux __ Not Affected

Notified: December 09, 2008 Updated: February 20, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Administrators of Debian systems should use ACLs or iptables rules to prevent proxies from connecting to internal resources. Administrators who use Squid should refer to <http://www.visolve.com/squid/squid24s1/access_controls.php> for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks Not Affected

Notified: December 09, 2008 Updated: April 24, 2009

Statement Date: April 23, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Force10 Networks, Inc. __ Not Affected

Notified: December 09, 2008 Updated: February 04, 2009

Statement Date: January 30, 2009

Status

Not Affected

Vendor Statement

Force10 equipment is not vulnerable to this threat. Force10 routers and switches could help mitigate such an attack by restricting access to internal resources by using access control lists.

Vendor Information

See <https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx> for information configuring ACL and port filters.

Fortinet, Inc. Not Affected

Notified: December 09, 2008 Updated: December 10, 2008

Statement Date: December 09, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Foundry Networks, Inc. Not Affected

Notified: December 09, 2008 Updated: December 11, 2008

Statement Date: December 10, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IP Filter Not Affected

Notified: December 09, 2008 Updated: January 08, 2009

Statement Date: January 08, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Intel Corporation Not Affected

Notified: December 09, 2008 Updated: January 07, 2009

Statement Date: December 16, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Internet Security Systems, Inc. Not Affected

Notified: December 09, 2008 Updated: April 13, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetApp Not Affected

Notified: December 09, 2008 Updated: April 27, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Not Affected

Notified: December 09, 2008 Updated: December 18, 2008

Statement Date: December 18, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

PePLink __ Not Affected

Notified: December 09, 2008 Updated: January 02, 2009

Statement Date: December 10, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Peplink products are not vulnerable.

RadWare, Inc. Not Affected

Notified: December 09, 2008 Updated: December 17, 2008

Statement Date: December 17, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

TippingPoint, Technologies, Inc. Not Affected

Notified: December 09, 2008 Updated: January 13, 2009

Statement Date: January 13, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Not Affected

Notified: December 09, 2008 Updated: March 04, 2009

Statement Date: March 04, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

3com, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. Unknown

Notified: September 11, 2009 Updated: September 11, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Asterisk Unknown

Updated: April 22, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Avaya, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AvertLabs Unknown

Notified: December 10, 2008 Updated: December 10, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Bro Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CIAC Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clavister Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates eTrust Security Management Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Enterasys Networks Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Unknown

Notified: January 08, 2009 Updated: January 08, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intoto Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Vulnerability Research Unknown

Notified: February 10, 2009 Updated: February 09, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenSSH Unknown

Notified: January 06, 2009 Updated: January 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PayPal Unknown

Notified: November 12, 2008 Updated: November 11, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Privoxy Unknown

Notified: January 06, 2009 Updated: January 06, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Process Software Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Q1 Labs Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure Computing Network Security Division Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secureworx, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Soapstone Networks Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sophos, Inc. Unknown

Notified: March 11, 2009 Updated: March 11, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sourcefire Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Tinyproxy Unknown

Notified: June 29, 2009 Updated: June 29, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

U4EA Technologies, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eSoft, Inc. Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter Unknown

Notified: December 09, 2008 Updated: December 09, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 110 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal | 0 | E:ND/RL:ND/RC:ND
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • <http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf>
  • <http://www.ietf.org/rfc/rfc2616.txt>
  • <http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html>
  • <http://www.us-cert.gov/reading_room/securing_browser/>
  • <http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14213>
  • <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>
  • <http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Black_Box_testing_and_example>
  • http://en.wikipedia.org/w/index.php?title=List_of_TCP_and_UDP_port_numbers&oldid=266934839

Acknowledgements

Thanks to Robert Auger from the PayPal Information Risk Management team for reporting this issue as well as providing technical information.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: | None
---|---
Severity Metric: | 3.54
Date Public: | 2009-02-23
Date First Published: | 2009-02-23
Date Last Updated: | 2009-09-28 18:58 UTC
Document Revision: | 143