HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:52

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: HAVP and Nessus
PostPosted: 12 Dec 2007 17:29 
Offline

Joined: 12 Dec 2007 16:42
Posts: 1
In scanning the proxy server where I have HAVP installed using Nessus, I'm getting this vulnerability:

"Usable remote proxy on any port

The proxy, allows everyone to perform requests
against arbitrary ports, like ...
(more lines)

Solution: reconfigure your proxy so that it only accepts
connections against non-dangerous ports (> 1024).

Risk factor : High

Nessus ID : 10193"

Is this vulnerability real? What solution could you suggest me to solve this issue? Only with the Nessus 3 client the warning appears, nessuswx-1.4.5 (not longer developed) doesn't shows the alert (the server is (Nessus) 3.0.5. [build 258] for Linux).

Thank you,

Pablo Chamorro

(http://www.nessus.org/plugins/index.php ... e&id=10193)


Top
 Profile  
 
 Post subject:
PostPosted: 12 Dec 2007 17:54 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
It's true that HAVP currently allows requests to any port. I might as well add some sanity checks or config to limit it.

But it's not really that dangerous, all you can do is send "GET http://xxxxx/" requests somewhere.

In the recommended configuration with Squid in front of HAVP, there is no problem since the checks are in Squid by default.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group