Compaq Web-enabled management software could allow users to bypass proxy settings
| compaq-wbm-bypass-proxy (6264) |  High Risk |
Description:
Compaq Web-enabled management software is installed on port 2301 with "everyone" access, which could allow a remote attacker to bypass proxy settings on the internal network to gain access to external networks. A remote attacker could also gain access to the internal network if there is no firewall on the network.
Platforms Affected:
- Compaq, Web-Enabled Management
Remedy:
Apply the appropriate patch for your system, as listed in Compaq Security Advisory SSRT0715. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Thu Mar 22 2001 - 11:46:04 CST, Compaq Insight Manager Proxy Vuln at http://archives.neohapsis.com/archives/bugtraq/2001-03/0321.html.
- Compaq Security Advisory SSRT0715, Compaq management software security vulnerability at http://www.compaq.com/products/servers/management/mgtsw-advisory.html.
- BID-2500: Compaq Management Software Proxy Vulnerability
- CVE-2001-0374: The HTTP server in Compaq web-enabled management software for (1) Foundation Agents, (2) Survey, (3) Power Manager, (4) Availability Agents, (5) Intelligent Cluster Administrator, and (6) Insight Manager can be used as a generic proxy server, which allows remote attackers to bypass access restrictions via the management port, 2301.
- US-CERT VU#991240: Compaq web-enabled management software acts as generic proxy
Reported:
Mar 23, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net