CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory).
I will be publishing a comprehensive document at a later time outlining additional behaviors not discussed in the CERT advisory. Stay Tuned....
CERT Advisory: http://www.kb.cert.org/vuls/id/435052
Doesn't this vulnerability only apply where the proxy (1) makes connection decisions based on the HTTP header info, but (2) makes the actual connection based on the original destination IP of the intercepted packet.
Where the destingation of the onward connection is also based on the header information, there is no vulnerability.
Posted by: Rich | Feb 26, 2009 7:35:17 AM
Hello Rich,
I will be releasing a paper sometime in March which outlines this exact question. I'm hesitant to provide to many details at this stage in order to provide additional time for vendors to address the issue (Note: I am not trying to 'hype' this bug up as many others in the industry tend to do). The vendors that I've personally spoken with acknowledge this issue.
I will disclose that I have created a Flash POC (which I will not be releasing as it serves no positive purpose) demonstrating this abusive behavior. If your transparent proxy is located on your internal network, then this flash will be able to access anything the proxy has access to.
Sorry if I'm being vague, I hope you understand.
Posted by: Robert | Feb 26, 2009 10:11:11 AM