Overview
Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections.
Description
HTTP Host Headers are defined in RFC 2616 and are often used to by web servers to allow multiple websites to share a single IP address. From RFC 2616: |
Impact
An attacker may be able to make full connections to any website or resource that the proxy can connect to. These sites may include internal resources such as intranet sites that would not usually be exposed to the Internet. |
Solution
Update |
Workarounds for users
Although these workarounds will not address the underlying issue, vendors who distribute HTTP proxy servers are encouraged to implement them to mitigate future vulnerabilities.
|
Vendor Information
Apple Computer, Inc. Affected
Notified: December 09, 2008 Updated: September 11, 2009
Statement Date: December 10, 2008
Status
Affected
Vendor Statement
On Mac OS X v10.5, the Parental Controls Internet content filter is susceptible to this issue. This issue does not affect Mac OS X v10.6.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Astaro Affected
Updated: April 30, 2009
Statement Date: April 30, 2009
Status
Affected
Vendor Statement
Astaro Customers are only vulnerable if users allow java or activex, and using the proxy in transparent mode and have internal web servers which are not password protected.
We are currently working on a solution.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Blue Coat Systems Affected
Notified: January 02, 2009 Updated: March 04, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See https://hypersonic.bluecoat.com/support/securityadvisories/ProxySG_in_transparent_deployments for more information.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Internet Initiative Japan Affected
Updated: April 13, 2009
Status
Affected
Vendor Statement
See http://www.seil.jp/english/seilseries/security/2009/04091700.php for more information.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QBIK New Zealand Limited Affected
Notified: January 15, 2009 Updated: January 21, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SmoothWall Affected
Notified: December 09, 2008 Updated: February 20, 2009
Status
Affected
Vendor Statement
SmoothWall products that include SmoothGuardian (SchoolGuardian, NetworkGuardian, and our Firewall prouct that have SmoothGuardian installed upon them) are vulnerable but the workaround is to configure Guardian to block their internal web servers without passwords using hostname and IPaddress. The vulnerability only is real if users allow java or activex, are using transparent proxying, and have internal web servers not password protected.
We are also working on a hostname validation system which will actually increase the security beyond a normal system by checking the destination hostname against the destination IP which will protect against certain cache or host file poisoning.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Squid Affected
Notified: January 02, 2009 Updated: February 23, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ziproxy Affected
Notified: January 13, 2009 Updated: August 07, 2009
Statement Date: August 07, 2009
Status
Affected
Vendor Statement
For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:
ConventionalProxy = false
AllowMethodCONNECT = false
When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
AllowMethodCONNECT
Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.
In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.
In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.
Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.
Vendor Information
Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.
Details are included in the software documentation
Borderware Technologies Not Affected
Notified: December 09, 2008 Updated: February 03, 2009
Statement Date: February 02, 2009
Status
Not Affected
Vendor Statement
Our detailed investigation of the vulnerability in transparent proxy servers using the HTTP Host field resulting in potential cache poisoning has indicated that Borderware's products are not susceptible to this form of attack. More details on this can be obtained by contacting Borderware.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Check Point Software Technologies Not Affected
Notified: December 09, 2008 Updated: February 20, 2009
Status
Not Affected
Vendor Statement
Check Point products are not affected by this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Cisco Systems, Inc. Not Affected
Notified: December 09, 2008 Updated: March 12, 2009
Status
Not Affected
Vendor Statement
The Cisco PSIRT has been investigating and has not found any vulnerable products. If we determine that any of our products are vulnerable, information will be available at: http://www.cisco.com/go/psirt/. Please direct any questions to psirt@cisco.com.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Access control lists can be configured to mitigate this vulnerability. The below ACLs limit access allow a proxy server to only connect make outbound connections to TCP port 80.
access-list 111 permit tcp [ip address of proxy] any eq 80
access-list 112 permit tcp any any gt 1023 established
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: December 09, 2008 Updated: December 17, 2008
Statement Date: December 17, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Debian GNU/Linux Not Affected
Notified: December 09, 2008 Updated: February 20, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Administrators of Debian systems should use ACLs or iptables rules to prevent proxies from connecting to internal resources. Administrators who use Squid should refer to http://www.visolve.com/squid/squid24s1/access_controls.php for more information.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Extreme Networks Not Affected
Notified: December 09, 2008 Updated: April 24, 2009
Statement Date: April 23, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Force10 Networks, Inc. Not Affected
Notified: December 09, 2008 Updated: February 04, 2009
Statement Date: January 30, 2009
Status
Not Affected
Vendor Statement
Force10 equipment is not vulnerable to this threat. Force10 routers and switches could help mitigate such an attack by restricting access to internal resources by using access control lists.
Vendor Information
See https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx for information configuring ACL and port filters.
Fortinet, Inc. Not Affected
Notified: December 09, 2008 Updated: December 10, 2008
Statement Date: December 09, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Foundry Networks, Inc. Not Affected
Notified: December 09, 2008 Updated: December 11, 2008
Statement Date: December 10, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IP Filter Not Affected
Notified: December 09, 2008 Updated: January 08, 2009
Statement Date: January 08, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Intel Corporation Not Affected
Notified: December 09, 2008 Updated: January 07, 2009
Statement Date: December 16, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Internet Security Systems, Inc. Not Affected
Notified: December 09, 2008 Updated: April 13, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
NetApp Not Affected
Notified: December 09, 2008 Updated: April 27, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Not Affected
Notified: December 09, 2008 Updated: December 18, 2008
Statement Date: December 18, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
PePLink Not Affected
Notified: December 09, 2008 Updated: January 02, 2009
Statement Date: December 10, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Peplink products are not vulnerable.
RadWare, Inc. Not Affected
Notified: December 09, 2008 Updated: December 17, 2008
Statement Date: December 17, 2008
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
TippingPoint, Technologies, Inc. Not Affected
Notified: December 09, 2008 Updated: January 13, 2009
Statement Date: January 13, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Wind River Systems, Inc. Not Affected
Notified: December 09, 2008 Updated: March 04, 2009
Statement Date: March 04, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
3com, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
AT&T Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Alcatel-Lucent Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Apple Inc. Unknown
Notified: September 11, 2009 Updated: September 11, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Asterisk Unknown
Updated: April 22, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Avaya, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
AvertLabs Unknown
Notified: December 10, 2008 Updated: December 10, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Barracuda Networks Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Belkin, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Bro Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CIAC Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Charlotte's Web Networks Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Clavister Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Computer Associates Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Computer Associates eTrust Security Management Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Data Connection, Ltd. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EMC Corporation Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Enterasys Networks Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ericsson Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fujitsu Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Global Technology Associates Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Google Unknown
Notified: January 08, 2009 Updated: January 08, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Intoto Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Luminous Networks Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
McAfee Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Vulnerability Research Unknown
Notified: February 10, 2009 Updated: February 09, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Multitech, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenBSD Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenSSH Unknown
Notified: January 06, 2009 Updated: January 06, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
PayPal Unknown
Notified: November 12, 2008 Updated: November 11, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Privoxy Unknown
Notified: January 06, 2009 Updated: January 06, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Process Software Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Q1 Labs Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QNX, Software Systems, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Quagga Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Redback Networks, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Secure Computing Network Security Division Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Secureworx, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Slackware Linux Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Snort Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Soapstone Networks Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sophos, Inc. Unknown
Notified: March 11, 2009 Updated: March 11, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sourcefire Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Stonesoft Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Symantec, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
The SCO Group Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Tinyproxy Unknown
Notified: June 29, 2009 Updated: June 29, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
U4EA Technologies, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vyatta Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Watchguard Technologies, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ZyXEL Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
eSoft, Inc. Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
m0n0wall Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
netfilter Unknown
Notified: December 09, 2008 Updated: December 09, 2008
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf
- http://www.ietf.org/rfc/rfc2616.txt
- http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html
- http://www.us-cert.gov/reading_room/securing_browser/
- http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14213
- http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
- http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Black_Box_testing_and_example
- http://en.wikipedia.org/w/index.php?title=List_of_TCP_and_UDP_port_numbers&oldid=266934839
Acknowledgements
Thanks to Robert Auger from the PayPal Information Risk Management team for reporting this issue as well as providing technical information.
This document was written by Ryan Giobbi.
Other Information
CVE IDs: | None |
Severity Metric: | 3.54 |
Date Public: | 2009-02-23 |
Date First Published: | 2009-02-23 |
Date Last Updated: | 2009-09-28 18:58 UTC |
Document Revision: | 143 |