Home / exploitsPDF  

Glype Proxy 1.4.9 Filter Bypass

Posted on 24 September 2014

------------------------------------------------------------------------ Glype proxy local address filter bypass ------------------------------------------------------------------------ Securify, September 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A vulnerability has been identified in the Glype web-based proxy. Glype has a filter to disallow users from surfing to local addresses, to prevents users from attacking the local server/network Glype is running on. The filter can easily be bypassed by using IPs in decimal form. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ This issue has been identified in Glype 1.4.9. Older version are most likely affected as well. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Glype was informed and a fixed version (1.4.10) is now available at www.glype.com ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html Glype local address bypass Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype. browse.php # Protect LAN from access through proxy (protected addresses copied from PHProxy) if ( preg_match('#^(?:127.|192.168.|10.|172.(?:1[6-9]|2[0-9]|3[01]).|localhost)#i', $URL['host']) ) { error('banned_site', $URL['host']); } This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on. For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well. Possible fix Resolving the hostname using PHP’s gethostbyname before using the regular expression will eliminate this bypass. $URL['host'] = gethostbyname($URL['host’]); # Protect LAN from access through proxy (protected addresses copied from PHProxy) if ( preg_match('#^(?:127.|192.168.|10.|172.(?:1[6-9]|2[0-9]|3[01]).|localhost)#i', $URL['host']) ) { error('banned_site', $URL['host']); }

 

TOP