The proxy engine on Cisco Web Security Appliance (WSA) devices with software 8.5.3-055, 9.1.0-000, and 9.5.0-235 allows remote malicious users to bypass intended proxy restrictions via a malformed HTTP method, aka Bug ID CSCux00848.
Malformed HTTP methods blamed
Cisco has patched a vulnerability in its Web Security Appliance that allows unauthenticated remote attackers to bypass security controls.
The bug (CVE-2016-1296) allows attackers to use proxies when such traffic should be restricted.
Affected users of versions 8.5.3-055, 9.1.0-000, and 9.5.0-235 should apply the released fix. With all due haste, please, as no workarounds are available.
The Borg says the hole is thanks to malformed HTTP methods.
"A vulnerability in the pro...