Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Ziproxy Information for VU#435052

Date Notified:2009-01-13
Date Updated:2009-08-07
Statement Date:2009-08-06
Status Summary:Vulnerable

Vendor Statement

For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:

ConventionalProxy = false
AllowMethodCONNECT = false

When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
AllowMethodCONNECT

Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.

In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.

In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.

Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.

Vendor Information

Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.

Details are included in the software documentation

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information