Vulnerabilities > CVE-2005-0316 - Unspecified vulnerability in Webwasher Classic 2.2.1/3.3

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
webwasher
nessus
exploit available

Summary

WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions.

Vulnerable Configurations

Part Description Count
Application
Webwasher
2

Exploit-Db

descriptionWebWasher Classic 2.2/2.3 HTTP CONNECT Unauthorized Access. CVE-2005-0316. Remote exploits for multiple platform
idEDB-ID:25066
last seen2016-02-03
modified2005-01-28
published2005-01-28
reporterOliver Karow
sourcehttps://www.exploit-db.com/download/25066/
titleWebWasher Classic 2.2/2.3 HTTP CONNECT Unauthorized Access

Nessus

NASL familyWeb Servers
NASL idWEBWASHER_UNAUTHORIZED.NASL
descriptionThere is a flaw in the remote WebWasher Proxy. The Proxy, when issued a CONNECT command for 127.0.0.1 (or localhost/loopback), will comply with the request and initiate a connection to the local machine. This bypasses any sort of firewalling as well as gives access to local applications which are only bound to the loopback.
last seen2020-06-01
modified2020-06-02
plugin id16277
published2005-01-31
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/16277
titleWebWasher Classic Server Mode Arbitrary Proxy CONNECT Request
code
#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if(description)
{
  script_id(16277);
  script_version ("1.16");
  script_cve_id("CVE-2005-0316");
  script_bugtraq_id(12394);

  script_name(english:"WebWasher Classic Server Mode Arbitrary Proxy CONNECT Request");
  script_summary(english:"Checks for the presence of WebWasher Proxy");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is vulnerable to an access control breach.'
  );

  script_set_attribute(
    attribute:'description',
    value:"There is a flaw in the remote WebWasher Proxy.  The Proxy, when issued
a CONNECT command for 127.0.0.1 (or localhost/loopback), will comply with
the request and initiate a connection to the local machine.

This bypasses any sort of firewalling as well as gives access to local
applications which are only bound to the loopback."
  );

  script_set_attribute(
    attribute:'solution',
    value: "Upgrade to a version of WebWasher greater than 3.3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(
    attribute:'see_also',
    value:'https://seclists.org/bugtraq/2005/Jan/350'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/31");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/01/28");
 script_cvs_date("Date: 2018/11/15 20:50:26");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_family(english:"Web Servers");
  script_dependencie("find_service1.nasl", "httpver.nasl", "http_version.nasl");
  script_require_ports("Services/www", 8080);
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8080);

w = http_send_recv3(method:"GET", item:"/nessus345678.html", port:port);
if (isnull(w)) exit(0);
r = w[1];

if ( "<html><head><title>WebWasher - Error 400: Bad Request</title>" >< r )
{
 if (egrep(pattern:"<small><i>generated .* by .* \(WebWasher ([0-2]\..*|3\.[0-3])\)</i></small>", string:r))
 {
   security_hole(port);
   exit(0);
 }
}