================================================
     == Alex Stanev Security Advisory #2 @10.14.2002 ==
     ==             http://sec.stanev.org            ==
      ================================================

PRODUCT
     Proxy Plus

VENDOR
     Fortech [http://www.proxyplus.net]

VERSIONS AFFECTED
     Proxy+ 3.00 (Build #232) possiby lower

CLASS
     Design weakness and Deny of Service

PRODUCT DESCRIPTION
     Proxy+ gives the complete solution of access to Internet from LANs. If computer
     with Proxy+ is correctly set, Proxy+ separate local LAN from Internet with high
     safety.
     Supported services:
     * HTTP proxy
     * HTTPS proxy
     * FTP proxy
     * FTP gateway
     * Gopher proxy
     * Telnet gateway
     * SOCKS4 and SOCKS5
     * Real Audio Proxy
     * ICP Server/ICP client
     * DNS Forwarder
     * POP3/SMTP mail server
     * Mapped links

THE PROBLEM
     1) Deny of Service
     Generating request with leading slash greater than 64K to one of ProxyPlus
     modules - HTTP server, HTTP proxy or HTTPS proxy leaves low priority thread
     running and no response to client. The thread consumes all CPU cycles and
     client disconnecting leaves it in running state. About 20 to 30 such requests
     can rend the server down.
     It is not possible to reboot the server remotely via the administrative
     interface - the process have to be killed manually via Task Manager or other
     similar program.
     2) Passwords stored in insecure way
     User information is stored under
          [ HKEY_LOCAL_MACHINE\SOFTWARE\Fortech\ProxyPlus\Users ] 
     registry key. Password is encrypted using simple base64 coder, so it is
     possible to reverse it to plaintext instantly.

EXPLOIT
     1) Example request:
          [ GET /[65535 x A] A\r\r ]

PATCH/WORKAROUND
     No workaround possible. Next version?

VENDOR STATUS
     Informed.

     =========================
    ==           EOF         ==
    == http://sec.stanev.org ==
     =========================