Users login

Create an account »


Users login

Home » Hacking News » Raptor firewall http vulnerability

Raptor firewall http vulnerability

by phiber on March 26th, 2001 Raptor firewall, version 6.5 has a http request forwarding vulnerability if a port other than 80 is used. Redirect rules does not affect this problem. When an extern or internal client, configures itself to use the nearest interface as proxy, it's possible to access other ports that 80 on the target host.

- Explanation:
Only the http protocol is allowed and only to a range of TCP

TCP, 79-99 and TCP, 200-65535.

If a port outside this range is targeted, an Alert
will be issued.

An example of what is vulnerability could be used for:

Setting a Raptor firewall up, allowing Universe to
access a local web server (host: webserver), listening on port 80 (normal website) and 2000 (admin site).
This would give external users access to the admin site listening on port 2000, if the client is configured to use the external interface as a proxy server
(for lynx: "export http_proxy =
http://external-interface:80/ ; lynx

This works not only for external users, but also for internal users.

Testing of the Secure Socket Layer has not been performed.

- Vulnerable Versions

Raptor firewall 6.5.

- Non Vulnerable Versions

Raptor firewall 6.0.2.

Older versions, not tested.

- Solution

1. Use httpd.noproxy in the affected rule.

2. Downgrade to version 6.0.2

3. Apply hotfix SG6500-20000920-00 and SG6500-20001121-00

Hot Fix SG6500-20000920-00 9/20/2000

if client uses firewall as proxy, firewall will forward
request to ports other than 80 on server. this vulnerability
is fixed by closing all ports for proxy except 80 and port
specified by httpd.allow_proxy_to_port_xxx=1.

Hot Fix SG6500-20001121-00 11/21/2000

this hotfix removes the implementation of
httpd.allow_proxy_to_port_xxx. Without this implementation,
firewall could be used as proxy to access (inbound and
outbound) http ports other than 80.

- Workaround:

1. Disable the http proxy, and use the TCP proxy. But this
will introduce other security concerns.

2. Disable other listeners at the webserver.

- Credits for this vulnerability go to Benny Amorsen, [email protected] and Christian E. Lysel, [email protected]

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »