Ziproxy Information for VU#435052

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Status

Affected

Vendor Statement

For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:

ConventionalProxy = false
AllowMethodCONNECT = false

When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
AllowMethodCONNECT

Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.

In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.

In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.

Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.

Vendor Information

Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.
Details are included in the software documentation

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.