Critical Flaw Found in Proxy Servers

Several popular proxy server packages can pose a significant security risk when running in transparent interception mode, due to an architectural flaw. By tricking a user behind the proxy server into loading maliciously-crafted active code inside the browser, an attacker can obtain access to resources on the internal network.

Transparent proxy implementations are used by administrators for various network-management tasks, including load balancing and caching. While few large companies use it, this setup is popular with many smaller networks, especially with limited bandwidth at their disposal and a high number of users. Such implementations do not require any configuration on the clients' end, like modifying browser connection settings.

Unauthorized access to internal resources can be obtained, because some proxy servers improperly make decisions based only on the value of the HTTP host-header. This value can be forged by an attacker by using rogue active content, like Flash, Java or Silverlight, embedded into Web pages. The malicious code can then be inserted into legit websites, through XSS (cross-site scripting) attacks, or into web pages created by the attackers themselves.

Exploitation can occur when users located behind the proxy server load a page containing such active code into their Web browsers. "An attacker may be able to make full connections to any website or resource that the proxy can connect to. These sites may include internal resources such as intranet sites that would not usually be exposed to the Internet," is noted in an advisory issued by US-CERT.

The flaw has been discovered by reputed Web security researcher Robert Auger from the PayPal Information Risk Management team. In a posting on his own CGISecurity website, Mr. Auger notes that "I will be publishing a comprehensive document in March outlining additional behaviors not discussed in the CERT advisory."

While no patches have yet been released, the US-CERT advisory suggests several temporary workarounds for administrators, users and vendors in order to mitigate possible attacks. Mozilla Firefox users can deploy the NoScript extension, which allows controlling the websites that have the right to load active content inside the browser. Meanwhile, network administrators are recommended to restrict the CONNECT method on proxy servers only to minimum required ports, for example 80/tcp and 443/tcp for HTTP proxies.

Rober Auger confirms that proxy implementations from QBIK New Zealand, SmoothWall, Squid and Ziproxy are vulnerable. However, others may also be affected.