WebWasher Classic Server Mode Arbitrary Proxy CONNECT Request
High Nessus Plugin ID 16277
SynopsisThe remote service is vulnerable to an access control breach.
DescriptionThere is a flaw in the remote WebWasher Proxy. The Proxy, when issued a CONNECT command for 127.0.0.1 (or localhost/loopback), will comply with the request and initiate a connection to the local machine.
This bypasses any sort of firewalling as well as gives access to local applications which are only bound to the loopback.
SolutionUpgrade to a version of WebWasher greater than 3.3.