Details of VAR-200904-0328

ID

VAR-200904-0328

CVE

CVE-2009-1211

TITLE

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Trust: 0.8

sources: CERT/CC: VU#435052

DESCRIPTION

Blue Coat ProxySG, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Multiple HTTP proxy implementations are prone to an information-disclosure vulnerability related to the interpretation of the 'Host' HTTP header. Specifically, this issue occurs when the proxy makes a forwarding decision based on the 'Host' HTTP header instead of the destination IP address. Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible. SOLUTION: As a workaround, the vendor recommends to "configure Guardian to block their internal web servers without passwords using hostname and IPaddress". ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Ziproxy HTTP "Host:" Header Security Bypass SECUNIA ADVISORY ID: SA34018 VERIFY ADVISORY: http://secunia.com/advisories/34018/ DESCRIPTION: A security issue has been reported in Ziproxy, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to e.g. access restricted websites or bypass a browser's security context protection mechanism by sending HTTP requests with a forged HTTP "Host:" header. Successful exploitation requires that the attacker can forge the HTTP "Host:" header (e.g. via active content). The security issue is reported in version 2.6.0. Other versions may also be affected. SOLUTION: The vendor recommends to use a proxy server with better security capabilities between clients and Ziproxy. Use a firewall to restrict access to untrusted websites. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Robert Auger, PayPal Information Risk Management team. ORIGINAL ADVISORY: US-CERT VU#435052: http://www.kb.cert.org/vuls/id/435052 http://www.kb.cert.org/vuls/id/MAPG-7N9GN8 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: The vendor has published workarounds

Trust: 3.06

sources: NVD: CVE-2009-1211 // CERT/CC: VU#435052 // JVNDB: JVNDB-2009-002544 // BID: 33858 // PACKETSTORM: 75119 // PACKETSTORM: 75100 // PACKETSTORM: 75126 // PACKETSTORM: 75099 // PACKETSTORM: 75373

AFFECTED PRODUCTS

vendor:	bluecoat	model:	proxysg sg210-10	scope:	eq	version:	-	Trust: 1.6
vendor:	bluecoat	model:	proxysg sg210-25	scope:	eq	version:	-	Trust: 1.6
vendor:	bluecoat	model:	proxysg sg510-10	scope:	eq	version:	-	Trust: 1.6
vendor:	bluecoat	model:	proxysg sg810-10	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg va-20	scope:	eq	version:	*	Trust: 1.0
vendor:	bluecoat	model:	proxysg va-5	scope:	eq	version:	*	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg810-25	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg510-20	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg810-20	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg510-25	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg	scope:	eq	version:	*	Trust: 1.0
vendor:	bluecoat	model:	proxysg va-10	scope:	eq	version:	*	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg210-5	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg9000-5	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg9000-10	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg810-5	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg9000-20	scope:	eq	version:	-	Trust: 1.0
vendor:	bluecoat	model:	proxysg va-15	scope:	eq	version:	*	Trust: 1.0
vendor:	bluecoat	model:	proxysg sg510-5	scope:	eq	version:	-	Trust: 1.0
vendor:	apple computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	astaro	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	internet initiative	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	qbik new zealand	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	smoothwall	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	squid	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ziproxy	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	proxysg	scope:	-	version:	-	Trust: 0.8
vendor:	bluecoat	model:	proxysg va-5	scope:	-	version:	-	Trust: 0.6
vendor:	bluecoat	model:	proxysg va-15	scope:	-	version:	-	Trust: 0.6
vendor:	bluecoat	model:	proxysg va-10	scope:	-	version:	-	Trust: 0.6
vendor:	bluecoat	model:	proxysg va-20	scope:	-	version:	-	Trust: 0.6
vendor:	ziproxy	model:	ziproxy	scope:	eq	version:	2.6	Trust: 0.3
vendor:	the	model:	mac orchard dansguardian	scope:	eq	version:	0	Trust: 0.3
vendor:	squid	model:	web proxy cache pre3	scope:	eq	version:	3.0	Trust: 0.3
vendor:	squid	model:	web proxy cache pre2	scope:	eq	version:	3.0	Trust: 0.3
vendor:	squid	model:	web proxy cache pre1	scope:	eq	version:	3.0	Trust: 0.3
vendor:	squid	model:	web proxy cache	scope:	eq	version:	3.0	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable7	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable6	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable5	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable4	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable3	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable2	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable13	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable12	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 3.0.stable1	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 2.7.stable6	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache 2.7.stable5	scope:	-	version:	-	Trust: 0.3
vendor:	squid	model:	web proxy cache	scope:	eq	version:	2.7	Trust: 0.3
vendor:	smoothwall	model:	smoothguardian	scope:	eq	version:	2008	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.5.2	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.2.2	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.2.1	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.1.4.1099	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.1.3.1096	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.1.2.1094	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.1.1.1077	Trust: 0.3
vendor:	qbik	model:	wingate build	scope:	eq	version:	6.0.31005	Trust: 0.3
vendor:	qbik	model:	wingate build	scope:	eq	version:	6.0.21001	Trust: 0.3
vendor:	qbik	model:	wingate build	scope:	eq	version:	6.0.21000	Trust: 0.3
vendor:	qbik	model:	wingate build	scope:	eq	version:	6.0.1995	Trust: 0.3
vendor:	qbik	model:	wingate build	scope:	eq	version:	6.0.1993	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.0.0	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.2	Trust: 0.3
vendor:	qbik	model:	wingate	scope:	eq	version:	6.1	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	funkwerk	model:	utm	scope:	eq	version:	0	Trust: 0.3
vendor:	blue	model:	coat systems proxysg	scope:	eq	version:	0	Trust: 0.3
vendor:	bloxx	model:	bloxx	scope:	eq	version:	0	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.404	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.402	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.302	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.301	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.3	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.006	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7.005	Trust: 0.3
vendor:	astaro	model:	security gateway	scope:	eq	version:	7	Trust: 0.3
vendor:	ziproxy	model:	ziproxy	scope:	ne	version:	2.7	Trust: 0.3
vendor:	the	model:	mac orchard dansguardian	scope:	ne	version:	2.10.1.1	Trust: 0.3
vendor:	funkwerk	model:	utm	scope:	ne	version:	1.95.1	Trust: 0.3

sources: CERT/CC: VU#435052 // BID: 33858 // JVNDB: JVNDB-2009-002544 // CNNVD: CNNVD-200904-012 // NVD: CVE-2009-1211

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2009-1211
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#435052
value:	3.54
Trust: 0.8
NVD:	CVE-2009-1211
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200904-012
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2009-1211
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: CERT/CC: VU#435052 // JVNDB: JVNDB-2009-002544 // CNNVD: CNNVD-200904-012 // NVD: CVE-2009-1211

PROBLEMTYPE DATA

problemtype:

CWE-16

Trust: 1.8

sources: JVNDB: JVNDB-2009-002544 // NVD: CVE-2009-1211

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200904-012

TYPE

configuration error

Trust: 0.6

sources: CNNVD: CNNVD-200904-012

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-002544

PATCH

title:

ProxySG_in_transparent_deployments

url:

https://hypersonic.bluecoat.com/support/securityadvisories/ProxySG_in_transparent_deployments

Trust: 0.8

sources: JVNDB: JVNDB-2009-002544

EXTERNAL IDS

db:	NVD	id:	CVE-2009-1211	Trust: 2.7
db:	CERT/CC	id:	VU#435052	Trust: 2.4
db:	SECTRACK	id:	1021781	Trust: 2.4
db:	BID	id:	33858	Trust: 1.1
db:	SECUNIA	id:	34064	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0582	Trust: 0.8
db:	JVNDB	id:	JVNDB-2009-002544	Trust: 0.8
db:	CNNVD	id:	CNNVD-200904-012	Trust: 0.6
db:	SECUNIA	id:	34014	Trust: 0.2
db:	SECUNIA	id:	34020	Trust: 0.2
db:	SECUNIA	id:	34018	Trust: 0.2
db:	SECUNIA	id:	34019	Trust: 0.2
db:	PACKETSTORM	id:	75119	Trust: 0.1
db:	PACKETSTORM	id:	75100	Trust: 0.1
db:	PACKETSTORM	id:	75126	Trust: 0.1
db:	PACKETSTORM	id:	75099	Trust: 0.1
db:	PACKETSTORM	id:	75373	Trust: 0.1

sources: CERT/CC: VU#435052 // BID: 33858 // JVNDB: JVNDB-2009-002544 // PACKETSTORM: 75119 // PACKETSTORM: 75100 // PACKETSTORM: 75126 // PACKETSTORM: 75099 // PACKETSTORM: 75373 // CNNVD: CNNVD-200904-012 // NVD: CVE-2009-1211

REFERENCES

url:	http://www.securitytracker.com/id?1021781	Trust: 2.4
url:	https://hypersonic.bluecoat.com/support/securityadvisories/proxysg_in_transparent_deployments	Trust: 2.0
url:	http://www.kb.cert.org/vuls/id/435052	Trust: 1.6
url:	http://www.thesecuritypractice.com/the_security_practice/transparentproxyabuse.pdf	Trust: 0.8
url:	http://www.ietf.org/rfc/rfc2616.txt	Trust: 0.8
url:	http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00073.html	Trust: 0.8
url:	http://www.us-cert.gov/reading_room/securing_browser/	Trust: 0.8
url:	http://kb.adobe.com/selfservice/viewcontent.do?externalid=tn_14213	Trust: 0.8
url:	http://www.w3.org/protocols/rfc2616/rfc2616-sec9.html	Trust: 0.8
url:	http://www.owasp.org/index.php/testing_for_http_methods_and_xst_(owasp-cm-008)#black_box_testing_and_example	Trust: 0.8
url:	http://en.wikipedia.org/w/index.php?title=list_of_tcp_and_udp_port_numbers&oldid=266934839	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1211	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu435052/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1211	Trust: 0.8
url:	http://secunia.com/advisories/34064	Trust: 0.8
url:	http://www.securityfocus.com/bid/33858	Trust: 0.8
url:	http://www.vupen.com/english/advisories/2009/0582	Trust: 0.8
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.5
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.5
url:	http://secunia.com/advisories/try_vi/	Trust: 0.5
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.5
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.5
url:	http://www.cgisecurity.com/2009/07/more-products-identified-using-vulnerable-transparent-proxy-architecture.html	Trust: 0.3
url:	http://www.smoothwall.net/products/smoothguardian2008/	Trust: 0.3
url:	http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html	Trust: 0.3
url:	http://www.squid-cache.org/	Trust: 0.3
url:	http://www.wingate.com/	Trust: 0.3
url:	http://ziproxy.sourceforge.net/	Trust: 0.3
url:	http://secunia.com/advisories/34014/	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/mapg-7m6sm7	Trust: 0.1
url:	http://secunia.com/advisories/34020/	Trust: 0.1
url:	http://secunia.com/advisories/34018/	Trust: 0.1
url:	http://www.kb.cert.org/vuls/id/mapg-7n9gn8	Trust: 0.1
url:	http://secunia.com/advisories/34019/	Trust: 0.1
url:	http://secunia.com/advisories/34064/	Trust: 0.1

CREDITS

Robert Auger from the PayPal Information Risk Management team

Trust: 0.9

sources: BID: 33858 // CNNVD: CNNVD-200904-012

SOURCES

db:	CERT/CC	id:	VU#435052
db:	BID	id:	33858
db:	JVNDB	id:	JVNDB-2009-002544
db:	PACKETSTORM	id:	75119
db:	PACKETSTORM	id:	75100
db:	PACKETSTORM	id:	75126
db:	PACKETSTORM	id:	75099
db:	PACKETSTORM	id:	75373
db:	CNNVD	id:	CNNVD-200904-012
db:	NVD	id:	CVE-2009-1211

LAST UPDATE DATE

2024-11-23T19:39:34.819000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#435052	date:	2009-09-28T00:00:00
db:	BID	id:	33858	date:	2013-09-28T00:16:00
db:	JVNDB	id:	JVNDB-2009-002544	date:	2010-08-27T00:00:00
db:	CNNVD	id:	CNNVD-200904-012	date:	2009-04-01T00:00:00
db:	NVD	id:	CVE-2009-1211	date:	2024-11-21T01:01:55.193

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#435052	date:	2009-02-23T00:00:00
db:	BID	id:	33858	date:	2009-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2009-002544	date:	2010-08-27T00:00:00
db:	PACKETSTORM	id:	75119	date:	2009-02-23T14:11:04
db:	PACKETSTORM	id:	75100	date:	2009-02-23T12:27:14
db:	PACKETSTORM	id:	75126	date:	2009-02-24T15:54:02
db:	PACKETSTORM	id:	75099	date:	2009-02-23T12:27:11
db:	PACKETSTORM	id:	75373	date:	2009-03-04T15:05:53
db:	CNNVD	id:	CNNVD-200904-012	date:	2009-04-01T00:00:00
db:	NVD	id:	CVE-2009-1211	date:	2009-04-01T10:30:00.407