------------------------------------------------------------------------
Glype proxy local address filter bypass
------------------------------------------------------------------------
Securify, September 2014
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability has been identified in the Glype web-based proxy. Glype
has a filter to disallow users from surfing to local addresses, to
prevents users from attacking the local server/network Glype is running
on. The filter can easily be bypassed by using IPs in decimal form.
------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
Glype local address bypass
Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype.
browse.php
# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
error('banned_site', $URL['host']);
}
This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on.
For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well.
Possible fix
Resolving the hostname using PHP’s gethostbyname before using the regular expression will eliminate this bypass.
$URL['host'] = gethostbyname($URL['host’]);
# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
error('banned_site', $URL['host']);
}