• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Cacheflow CacheOS Web Administration Arbitrary Cached Page Code Leakage Vulnerability

CacheOS is the firmware designed and distributed with CacheFlow web cache systems. It is maintained and distributed by CacheFlow.

When a user connects to the system via the web administration interface on port 8081, and issues an HTTP standard-compliant request to the system, the system will prevent the user from accessing any information managed by the cache server. However, a user connecting to the system and issuing a request without the HTTP version request type (i.e. HTTP/1.0 or HTTP/1.1) multiple times may gain access to sensitive information. The cache server will leak information such as parts of URLs being accessed by a client currently connected to the cache server.

This problem makes it possible for a user to gather information, and potentially gain access to passwords, userids, or other potentially sensitive information.