Home / exploitsPDF  

Glype Proxy 1.4.9 Cross Site Request Forgery

Posted on 24 September 2014

------------------------------------------------------------------------ Glype proxy privacy settings can be disabled via CSRF ------------------------------------------------------------------------ Securify, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A path traversal vulnerability has been identified in the Glype web-based proxy that allows an attacker to run arbitrary PHP code on the server or to remove critical files from the filesystem. This only affects servers that are configured to: - store Glype cookies locally; AND - disable PHP display_errors; AND - allow the webserver process to write to the filesystem (document root). ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ This issue has been identified in Glype 1.4.9. Older version are most likely affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Glype was informed and a fixed version (1.4.10) is now available at www.glype.com ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ http://www.securify.nl/advisory/SFY20140902/glype_proxy_privacy_settings_can_be_disabled_via_csrf.html Glype local address bypass Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype. browse.php # Protect LAN from access through proxy (protected addresses copied from PHProxy) if ( preg_match('#^(?:127.|192.168.|10.|172.(?:1[6-9]|2[0-9]|3[01]).|localhost)#i', $URL['host']) ) { error('banned_site', $URL['host']); } This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on. For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well. Possible fix Resolving the hostname using PHP’s gethostbyname before using the regular expression will eliminate this bypass. $URL['host'] = gethostbyname($URL['host’]); # Protect LAN from access through proxy (protected addresses copied from PHProxy) if ( preg_match('#^(?:127.|192.168.|10.|172.(?:1[6-9]|2[0-9]|3[01]).|localhost)#i', $URL['host']) ) { error('banned_site', $URL['host']); }

 

TOP