Details of VAR-200903-0335

ID

VAR-200903-0335

CVE

CVE-2009-0804

TITLE

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Trust: 0.8

sources: CERT/CC: VU#435052

DESCRIPTION

Ziproxy 2.6.0, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Ziproxy Is used to determine the remote endpoint when transparent blocking mode is enabled. Ziproxy is prone to a security bypass vulnerability. SOLUTION: As a workaround, the vendor recommends to "configure Guardian to block their internal web servers without passwords using hostname and IPaddress". ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Ziproxy HTTP "Host:" Header Security Bypass SECUNIA ADVISORY ID: SA34018 VERIFY ADVISORY: http://secunia.com/advisories/34018/ DESCRIPTION: A security issue has been reported in Ziproxy, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application relying on HTTP "Host:" headers when acting as transparent proxy. This can be exploited to e.g. Successful exploitation requires that the attacker can forge the HTTP "Host:" header (e.g. via active content). The security issue is reported in version 2.6.0. Other versions may also be affected. SOLUTION: The vendor recommends to use a proxy server with better security capabilities between clients and Ziproxy. Use a firewall to restrict access to untrusted websites. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Robert Auger, PayPal Information Risk Management team. ORIGINAL ADVISORY: US-CERT VU#435052: http://www.kb.cert.org/vuls/id/435052 http://www.kb.cert.org/vuls/id/MAPG-7N9GN8 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: The vendor has published workarounds. See the vendor's advisory for additional information

Trust: 3.06

sources: NVD: CVE-2009-0804 // CERT/CC: VU#435052 // JVNDB: JVNDB-2009-005863 // BID: 79570 // PACKETSTORM: 75119 // PACKETSTORM: 75100 // PACKETSTORM: 75126 // PACKETSTORM: 75099 // PACKETSTORM: 75373

AFFECTED PRODUCTS

vendor:	ziproxy	model:	ziproxy	scope:	eq	version:	2.6.0	Trust: 2.4
vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	astaro	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	internet initiative	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	qbik new zealand	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	smoothwall	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	squid	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ziproxy	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ziproxy	model:	ziproxy	scope:	eq	version:	2.6	Trust: 0.3

sources: CERT/CC: VU#435052 // BID: 79570 // JVNDB: JVNDB-2009-005863 // CNNVD: CNNVD-200903-070 // NVD: CVE-2009-0804

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-0804
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#435052
value:	3.54
Trust: 0.8
NVD:	CVE-2009-0804
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200903-070
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2009-0804
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: CERT/CC: VU#435052 // JVNDB: JVNDB-2009-005863 // CNNVD: CNNVD-200903-070 // NVD: CVE-2009-0804

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.8

sources: JVNDB: JVNDB-2009-005863 // NVD: CVE-2009-0804

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200903-070

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200903-070

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-005863

PATCH

title:

Ziproxy

url:

http://ziproxy.sourceforge.net/

Trust: 0.8

sources: JVNDB: JVNDB-2009-005863

EXTERNAL IDS

db:	CERT/CC	id:	VU#435052	Trust: 4.0
db:	NVD	id:	CVE-2009-0804	Trust: 2.7
db:	BID	id:	33858	Trust: 1.9
db:	JVNDB	id:	JVNDB-2009-005863	Trust: 0.8
db:	CERT/CC	id:	US-CERT	Trust: 0.6
db:	CNNVD	id:	CNNVD-200903-070	Trust: 0.6
db:	BID	id:	79570	Trust: 0.3
db:	SECUNIA	id:	34014	Trust: 0.2
db:	SECUNIA	id:	34020	Trust: 0.2
db:	SECUNIA	id:	34018	Trust: 0.2
db:	SECUNIA	id:	34019	Trust: 0.2
db:	SECUNIA	id:	34064	Trust: 0.2
db:	PACKETSTORM	id:	75119	Trust: 0.1
db:	PACKETSTORM	id:	75100	Trust: 0.1
db:	PACKETSTORM	id:	75126	Trust: 0.1
db:	PACKETSTORM	id:	75099	Trust: 0.1
db:	PACKETSTORM	id:	75373	Trust: 0.1

sources: CERT/CC: VU#435052 // BID: 79570 // JVNDB: JVNDB-2009-005863 // PACKETSTORM: 75119 // PACKETSTORM: 75100 // PACKETSTORM: 75126 // PACKETSTORM: 75099 // PACKETSTORM: 75373 // CNNVD: CNNVD-200903-070 // NVD: CVE-2009-0804

REFERENCES

url:	http://www.kb.cert.org/vuls/id/435052	Trust: 3.2
url:	http://www.kb.cert.org/vuls/id/mapg-7n9gn8	Trust: 2.0
url:	http://www.securityfocus.com/bid/33858	Trust: 1.9
url:	http://www.thesecuritypractice.com/the_security_practice/transparentproxyabuse.pdf	Trust: 0.8
url:	http://www.ietf.org/rfc/rfc2616.txt	Trust: 0.8
url:	http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html	Trust: 0.8
url:	http://www.us-cert.gov/reading_room/securing_browser/	Trust: 0.8
url:	http://kb.adobe.com/selfservice/viewcontent.do?externalid=tn_14213	Trust: 0.8
url:	http://www.w3.org/protocols/rfc2616/rfc2616-sec9.html	Trust: 0.8
url:	http://www.owasp.org/index.php/testing_for_http_methods_and_xst_(owasp-cm-008)#black_box_testing_and_example	Trust: 0.8
url:	http://en.wikipedia.org/w/index.php?title=list_of_tcp_and_udp_port_numbers&oldid=266934839	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0804	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0804	Trust: 0.8
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.5
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.5
url:	http://secunia.com/advisories/try_vi/	Trust: 0.5
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.5
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.5
url:	http://secunia.com/advisories/34014/	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/mapg-7m6sm7	Trust: 0.1
url:	http://secunia.com/advisories/34020/	Trust: 0.1
url:	http://secunia.com/advisories/34018/	Trust: 0.1
url:	http://secunia.com/advisories/34019/	Trust: 0.1
url:	http://secunia.com/advisories/34064/	Trust: 0.1
url:	https://hypersonic.bluecoat.com/support/securityadvisories/proxysg_in_transparent_deployments	Trust: 0.1

CREDITS

Robert Auger from the PayPal Information Risk Management team

Trust: 0.6

sources: CNNVD: CNNVD-200903-070

SOURCES

db:	CERT/CC	id:	VU#435052
db:	BID	id:	79570
db:	JVNDB	id:	JVNDB-2009-005863
db:	PACKETSTORM	id:	75119
db:	PACKETSTORM	id:	75100
db:	PACKETSTORM	id:	75126
db:	PACKETSTORM	id:	75099
db:	PACKETSTORM	id:	75373
db:	CNNVD	id:	CNNVD-200903-070
db:	NVD	id:	CVE-2009-0804

LAST UPDATE DATE

2025-04-10T22:15:55.273000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#435052	date:	2009-09-28T00:00:00
db:	BID	id:	79570	date:	2009-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2009-005863	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200903-070	date:	2009-06-18T00:00:00
db:	NVD	id:	CVE-2009-0804	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#435052	date:	2009-02-23T00:00:00
db:	BID	id:	79570	date:	2009-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2009-005863	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	75119	date:	2009-02-23T14:11:04
db:	PACKETSTORM	id:	75100	date:	2009-02-23T12:27:14
db:	PACKETSTORM	id:	75126	date:	2009-02-24T15:54:02
db:	PACKETSTORM	id:	75099	date:	2009-02-23T12:27:11
db:	PACKETSTORM	id:	75373	date:	2009-03-04T15:05:53
db:	CNNVD	id:	CNNVD-200903-070	date:	2009-03-04T00:00:00
db:	NVD	id:	CVE-2009-0804	date:	2009-03-04T16:30:00.250