Nmap Development mailing list archives
Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: Gutek <ange.gutek () gmail com>
Date: Wed, 12 Oct 2011 19:01:00 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 12/10/2011 09:34, Michael Meyer a écrit :
*** Gutek <ange.gutek () gmail com> wrote:Yes, that's the key point : getting an error status code, whatever it could be. Maybe a 30s timeout is, here, too short ? On the other hand, a timeout of >1m could make this script very slow. I have to figure out the best balance between speed and efficiency.I'm doing something like the following for OpenVAS at the moment: ,---| | mime@kira[4]: ~ 0)$ telnet 192.168.2.7 80 | Trying 192.168.2.7... | Connected to 192.168.2.7. | Escape character is '^]'. | GET @6666.6666.6666.6666 HTTP/1.0 | | HTTP/1.1 200 OK | Date: Wed, 12 Oct 2011 06:46:28 GMT | Server: Apache/2.2.10 (Linux/SUSE) | Vary: accept-language,accept-charset | Accept-Ranges: bytes | Content-Type: text/html; charset=iso-8859-1 | Content-Language: en | Connection: close | | [...] | |<title>Bad Gateway!</title> `---| With such a wrong "ip", a vulnerable server immediately returns a 200 and "Bad Gateway". Could you confirm that? Micha
I'd rather say no. On the first hand, Contextis' analysis concludes that (in the case of the LAN ip test, that's different for the other ones) a vulnerable reverse proxy should return an *error* within a *delay* (...when querying a non-existing host). According to this statement, *immediately* should be the evidence for a *non* -vulnerable target, and a 200 as well, whatever the title would be. In this particular case, a 200 which is in fact a customized error answer (the normal behavior would be a code 502 in this case), I'd conclude maybe "filtered" or "patched". Plus, we have no delay, which sounds to me like a filtering system is immediately spotting something wrong. On the other hand, my own tests seem to show that everytime I get a 200, that was in fact a false-positive. It seems to confirm the Contextis conclusion on that matter. The only case when you could get an immediate 200 is the one when you've hit an existing LAN webservice. Lucky you :) Cheers ! A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Vx8wACgkQ3aDTTO0ha7hqvwCfY8ODKFGBKtFG49TTfvmtymo9 qbIAnRxqf9Fj9aqaknXAQP5tZFUAWz+f =IiJz -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" David Fifield (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 05)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 17)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)