WebWasher Classic connect gain access
| webwasher-classic-connect-gain-access (19144) |  High Risk |
Description:
WebWasher Classic could allow a remote attacker to connect to certain ports on a victim's system. A remote attacker could connect to the WebWasher port, TCP port 8080 by default, and supply a CONNECT request to WebWasher to access the target port.
Platforms Affected:
- webwasher, WebWasher Classic 2.2.1
- webwasher, WebWasher Classic 3.3
Remedy:
Upgrade to the latest version of Webwasher Classic (3.4 or later), available from the Webwasher Classic Web site. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Fri Jan 28 2005 - 06:46:35 CST, WebWasher Classic - HTTP CONNECT weakness at http://archives.neohapsis.com/archives/bugtraq/2005-01/0315.html.
- WebWasher Classic Web site, webwasher AG | Home at https://www.webwasher.com/client/home/index.html?lang=de_EN.
- BID-12394: WebWasher Classic HTTP CONNECT Unauthorized Access Weakness
- CVE-2005-0316: WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions.
- SA14058: WebWasher Classic Server Mode Proxying Vulnerability
- SECTRACK ID: 1013036: WebWasher Classic Lets Remote Users Connect to Localhost Ports
Reported:
Jan 28, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net