Topic: Browser plug-ins, transparent proxies and same origin policies

Interesting bug...

http://isc.sans.org/diary.html?storyid=5989
http://www.kb.cert.org/vuls/id/435052

I'm not sure if this affects tinyproxy (used by PacketProtector), but I'll keep digging.

Cheers,
Charlie

Re: Browser plug-ins, transparent proxies and same origin policies

And the original paper...

http://www.thesecuritypractice.com/the_ … abuse.html

Re: Browser plug-ins, transparent proxies and same origin policies

From the paper-

Reproduction Instructions

To identify if your environment is vulnerable you can perform the following manual steps.

1. Perform a DNS lookup against a test website name
2. Telnet to that website’s IP on port 80 ( $ telnet <host> 80 )
3. Paste the following request as the payload
GET / HTTP/1.0
Host: <put a different website name here>
4. Hit enter twice

It is important to specify a different website name in the ‘Host’ header. The reply will look similar to the
following with HTTP headers followed by HTML.

HTTP/1.1 200 OK
Date: Thu, 05 Mar 2009 22:20:41 GMT
Server: Apache
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
<html>

If you receive content from the host specified in the host header then you’re affected.

I'll have to try this.  smile

Re: Browser plug-ins, transparent proxies and same origin policies

I haven't tested tinyproxy yet, but here's a related document.  It's an excellent read-

http://www.doxpara.com/Staring%20Into%20The%20Abyss.pdf

Cheers,
Charlie

Re: Browser plug-ins, transparent proxies and same origin policies

Looks like tinyproxy is vulnerable-

$ telnet www.google.com 80
Trying 208.69.36.231...
Connected to google.navigation.opendns.com.
Escape character is '^]'.
GET / HTTP/1.0
Host: packetprotector.org

HTTP/1.1 200 OK
Via: 1.0 tinyproxy (tinyproxy/1.6.3)
Content-Type: text/html
ETag: "38804c-4aac-d7655480"
Server: Apache/2.0.48 (Fedora)
Date: Wed, 11 Mar 2009 20:09:22 GMT
Last-Modified: Sun, 08 Feb 2009 03:28:02 GMT
Content-Length: 19116
Accept-Ranges: bytes

<html>

<head>
<title>PacketProtector.org: security solution for wireless routers</title>

Charlie