Nmap Development mailing list archives
Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass"
From: Michael Meyer <michael.meyer () greenbone net>
Date: Wed, 12 Oct 2011 20:03:03 +0200
*** Gutek <ange.gutek () gmail com> wrote:
Le 12/10/2011 09:34, Michael Meyer a écrit :
With such a wrong "ip", a vulnerable server immediately returns a 200 and "Bad Gateway". Could you confirm that?I'd rather say no. On the first hand, Contextis' analysis concludes that (in the case of the LAN ip test, that's different for the other ones) a vulnerable reverse proxy should return an *error*
They are talking about an error *page* in their report. My vulnerable system returns an error *page*. ;)
within a *delay*
There could be no delay, if you are using such a wrong "ip" like "6666.6666.6666.6666". The apache *must* immediately fail to connect. [Wed Oct 12 19:41:26 2011] [error] [client 192.168.2.7] proxy: DNS lookup failure for: 6666.6666.6666.6666 returned by @6666.6666.6666.6666 There is only a delay, if you are using a *valid* ip which is not within the current network.
According to this statement, *immediately* should be the evidence for a *non* -vulnerable target,
Only if you are using a *valid* ip which is within the current network. I have a delay if i'm using e.g. "@10.10.10.1 HTTP/1.0" in an 192.168.2.0/24.
and a 200 as well, whatever the title would be.
I got always a 200 from vulnerable systems.
On the other hand, my own tests seem to show that everytime I get a 200, that was in fact a false-positive. It seems to confirm the Contextis conclusion on that matter.
,----| | mime@kira[13]: ~ 0)$ telnet 192.168.2.7 80 | Trying 192.168.2.7... | Connected to 192.168.2.7. | Escape character is '^]'. | GET @10.10.10.1 HTTP/1.0 | | HTTP/1.1 200 OK | | [...] | | <title>Service unavailable! `----| The exploit at http://www.exploit-db.com/exploits/17969/ also accept 200 as a valid response code for vulnerable servers. You maybe should try to setup a vulnerable environment. Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" David Fifield (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Michael Meyer (Oct 12)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 05)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Patrik Karlsson (Nov 17)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Gutek (Oct 11)
- Re: [Request for Testers] CVE-2011-3368 "Reverse Proxy Bypass" Paulino Calderon (Oct 10)