I2037: Comment on vulnerabilities reported in FreeProxy | Knowledge Base

Home > Knowledge Base > FreeProxy Knowledge Base > I2037: Comment on vulnerabilities reported in FreeProxy

Home

Download

Knowledge Base

User Page

Hi Guest

IP: 3.142.35.75

Knowledge Base

I2037: Comment on vulnerabilities reported in FreeProxy

Summary
Product: FreeProxy
Versions: FreeProxy, built before 9 Jan 2004
Note: 2037
Date reported: 09 Jan 2004

Issue Detail
Two vulnerabilities were reported in FreeProxy in the following article:
http://www.security-protocols.com/modules.php?name=News&file=article&sid=1691&mode=&order=0&thold=0

Solution
The scope of both problems relate to the FreeWeb which is the web server component. There are no reported problems with FreeProxy. Details are as follows:

Directory traversal.
By including "../" in the URL, it was possible to open files above the root directory. The vulnerability was limited to reading as the web server is not able to post at this stage. This problem has been fixed.

CreateFile error
For some reason the tester used a "GET CreateFile" command. The word "CreateFile" had no significance as FreeWeb does not execute commands built into the URL. The same error would have occurred for any word placed after the get without a leading "/". The problem related to a bug in the parser which has now been fixed.

Rectified
All FreeProxy versions built after 9 Jan 2004

Hand-Crafted Software.

MemHT Portal is a free software released under the GNU/GPL License by Miltenovik Manojlo