Ziproxy Information for VU#435052
Intercepting proxy servers may incorrectly rely on HTTP headers to make connections
- Vendor Information Help Date Notified: 13 Jan 2009
- Statement Date: 06 Aug 2009
- Date Updated: 07 Aug 2009
Status
Affected
Vendor Statement
For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:
ConventionalProxy = false
AllowMethodCONNECT = false
When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
AllowMethodCONNECT
Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.
In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.
In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.
Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.
Vendor Information
Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.
Details are included in the software documentation
Vendor References
None
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.