tinyproxy vulnerability
Updated 8/14/02
CVE 2001-0129
CVE 2002-0847
Impact
A remote attacker could create a denial-of-service or
execute arbitrary code on the server.
Background
Tinyproxy
is a simple HTTP proxy server designed for small networks.
Its function is to relay HTTP requests and responses
between a web client and a web server.
The Problem
8/14/02
CVE 2002-0847
Tinyproxy versions prior to 1.5 contain a flaw which could
cause the same memory buffer to be deallocated twice.
A remote attacker could exploit this flaw and execute
arbitrary commands by sending a malformed proxy request.
2/7/01
CVE 2001-0129
A buffer overflow condition in the part of the code
which handles invalid requests could be exploited to
create a denial of service or to execute arbitrary code.
Resolution
Install the
latest version
of tinyproxy.
Where can I read more about this?
The deallocation flaw was reported in an
X-Force Advisory.
The buffer overflow was reported in
Packet
Knights advisory #002. FreeBSD users should refer to
FreeBSD
Security Advisory 01:15.