Vulnerabilities > CVE-2004-2107 - Unspecified vulnerability in Finjan Software Surfingate

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
finjan-software
nessus
exploit available

Summary

Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to (1) restart the service, (2) use the getlastmsg command to view log information, or (3) use the online command to force a policy update from the database server.

Exploit-Db

descriptionFinjan SurfinGate 6.0/7.0 FHTTP Restart Command Execution Vulnerability. CVE-2004-2107. Remote exploit for linux platform
idEDB-ID:23585
last seen2016-02-02
modified2004-01-23
published2004-01-23
reporterDavid Byrne
sourcehttps://www.exploit-db.com/download/23585/
titleFinjan SurfinGate 6.0/7.0 FHTTP Restart Command Execution Vulnerability

Nessus

NASL familyFirewalls
NASL idFINJAN_CMD_RESTART.NASL
descriptionThe remote host is running a Finjan SurfinGate, a web proxy. It is possible to bypass admin authentication by using the proxy to connect to itself. A remote attacker could exploit this to view log information, force a policy update, or restart the service.
last seen2020-06-01
modified2020-06-02
plugin id12036
published2004-02-02
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12036
titleFinjan SurfinGate Proxy FHTTP Command Admin Functions Authentication Bypass
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if(description)
{ 
 script_id(12036);
 script_version ("1.17");
 script_cve_id("CVE-2004-2107");
 script_bugtraq_id(9478);
 script_xref(name:"Secunia", value:"10714");
 
 script_name(english:"Finjan SurfinGate Proxy FHTTP Command Admin Functions Authentication Bypass");
 script_summary(english:"determines if the remote proxy can connect against itself");
 
 script_set_attribute(
   attribute:"synopsis",
   value:"The remote proxy server has a security bypass vulnerability."
 );
 script_set_attribute(attribute:"description",  value:
"The remote host is running a Finjan SurfinGate, a web proxy.

It is possible to bypass admin authentication by using the proxy to
connect to itself.  A remote attacker could exploit this to view log
information, force a policy update, or restart the service." );
 script_set_attribute(
   attribute:"see_also",
   value:"https://seclists.org/fulldisclosure/2004/Jan/925"
 );
 script_set_attribute(
   attribute:"solution", 
   value:"Block all connection attempts to the control port."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/02/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/01/27");
 script_cvs_date("Date: 2018/11/15 20:50:22");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"Firewalls");

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");

 script_dependencie("find_service1.nasl");
 script_require_ports("Services/http_proxy", 3128);

 exit(0);
}

#
# The script code starts here
#

port = get_kb_item("Services/http_proxy");
if(!port) port = 3128;

if ( get_port_state(port) )
{
 soc = open_sock_tcp(port);
 if ( ! soc ) exit(0);

 send(socket:soc, data:'CONNECT localhost:3141 HTTP/1.0\r\n\r\n');
 r = recv_line(socket:soc, length:4096); 
 if ( ! r ) exit(0);
 if ( "200 Connection established" >!< r ) exit(0);
 r = recv_line(socket:soc, length:4096); 
 if ( ! r ) exit(0);
 if ( 'Proxy-agent: Finjan' >< r ) security_hole(port);
 close(soc);
}