Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests
From: Juliusz Chroboczek <jch () pps jussieu fr>
Date: Thu, 06 Oct 2011 18:37:01 +0200

  a denial of service flaw was found in the way Polipo, a lightweight
caching web proxy, processed certain HTTP POST / PUT requests. If
polipo was configured to allow remote client connections and particular
host was allowed to connect to polipo server instance, a remote
attacker could use this flaw to cause denial of service (polipo daemon
abort due to assertion failure) via specially-crafted HTTP POST / PUT

Yes, this is a known bug with Polipo 1.0.4 and  I believe that
it is fixed in the Git trunk, which is unfortunately not ready to be
released (and might never be unless a maintainer is found).

At any rate, I do not recommend running Polipo as a publicly accessible
proxy.  While I have made reasonable efforts to ensure that this is
safe, Polipo was not designed for that.


-- Juliusz

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]