Astaro Security Linux Proxy Invalid Request Information Disclosure

2005-08-25T04:00:22
ID OSVDB:19793
Type osvdb
Reporter Oliver Karow(Oliver.karow@gmx.de)
Modified 2005-08-25T04:00:22

Description

Vulnerability Description

Astaro Security Linux Proxy contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending an invalid connection request to the proxy port, which will disclose login-credentials used internaly by the Content Filter Framework (Proxy-authorization: Basic LTpwcHBwCg==), resulting in a loss of confidentiality.

Solution Description

Upgrade to version 6.0.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Astaro Security Linux Proxy contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending an invalid connection request to the proxy port, which will disclose login-credentials used internaly by the Content Filter Framework (Proxy-authorization: Basic LTpwcHBwCg==), resulting in a loss of confidentiality.

Manual Testing Notes

Netcat proxy port at 8080 Send invalid, unauthenticated request: CONNECT localhost 21 HTTP/1.0

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0353.html ISS X-Force ID: 22024 CVE-2005-2730