Glype proxy local address filter bypass

Abstract

A vulnerability has been identified in the Glype web-based proxy. Glype has a filter to disallow users from surfing to local addresses, to prevents users from attacking the local server/network Glype is running on. The filter can easily be bypassed by using IPs in decimal form.

Affected versions

This issue has been identified in Glype 1.4.9. Older version are most likely affected as well.

Fix

Glype was informed and a fixed version (1.4.10) is now available at www.glype.com

Introduction

Glype is a web-based proxy script written in PHP. A web-based proxy script is hosted on a website which provides a proxy service to users via a web browser. A proxy service downloads requested web pages, modifies them for compatibility with the proxy, and forwards them on to the user. Web proxies are commonly used for anonymous browsing and bypassing censorship and other restrictions.

Glype is widely used to provide an anonymous browsing environment for bypassing censorship and other restrictions. There have been over 838,000 downloads of Glype since 2007. Thousands of web-based proxy websites are powered by Glype.

Glype local address bypass

Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype.

browse.php

# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
	error('banned_site', $URL['host']);
}

This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on.

For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well.

Possible fix

Resolving the hostname using PHP’s gethostbyname before using the regular expression will eliminate this bypass.

$URL['host'] = gethostbyname($URL['host’]);

# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
	error('banned_site', $URL['host']);
}

Vragen of feedback?