Tutorial - tinyproxy Vulnerability

tinyproxy vulnerability

Updated 8/14/02
CVE 2001-0129 CVE 2002-0847

Impact

A remote attacker could create a denial-of-service or execute arbitrary code on the server.

Background

Tinyproxy is a simple HTTP proxy server designed for small networks. Its function is to relay HTTP requests and responses between a web client and a web server.

The Problem

8/14/02
CVE 2002-0847
Tinyproxy versions prior to 1.5 contain a flaw which could cause the same memory buffer to be deallocated twice. A remote attacker could exploit this flaw and execute arbitrary commands by sending a malformed proxy request.

2/7/01
CVE 2001-0129
A buffer overflow condition in the part of the code which handles invalid requests could be exploited to create a denial of service or to execute arbitrary code.

Resolution

Install the latest version of tinyproxy.

Where can I read more about this?

The deallocation flaw was reported in an X-Force Advisory.

The buffer overflow was reported in Packet Knights advisory #002. FreeBSD users should refer to FreeBSD Security Advisory 01:15.