Ziproxy Information for VU#435052
Intercepting proxy servers may incorrectly rely on HTTP headers to make connections
- Vendor Information Help Date Notified: 13 Jan 2009
- Statement Date: 06 Aug 2009
- Date Updated: 07 Aug 2009
For servers running Ziproxy in transparent proxy mode, it is strongly recommended to set the following options as below:
ConventionalProxy = false
AllowMethodCONNECT = false
When running as a conventional proxy (non-transparent), it is strongly
recommended to read the documentation on the following option:
Running Ziproxy in both transparent and conventional modes simultaneously is
discouraged for security reasons.
In transparent mode, the latest version of Ziproxy (2.6.0) trusts the host and
port provided in the HTTP headers. This may be exploited using a hand-crafted
HTTP request so to access arbitrary websites.
In order to address this specific vulnerability, firewall rules may be used and/or an additional HTTP proxy with more security mechanisms may be
installed between the clients and Ziproxy.
Since Ziproxy is not a caching proxy, cache poisoning issues do not apply.
Ziproxy 2.7.0 and newer versions include provisions that mitigate this vulnerability.
Details are included in the software documentation
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.