'Re: Simple way to bypass squid ACLs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Simple way to bypass squid ACLs
From:       Mauro Lacy <mauro () INTER-SOFT ! COM>
Date:       1998-02-23 16:08:41
[Download RAW message or body]

Vitaly V. Fedrushkov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Good $daytime,
>
> Software:       Squid Internet Object Cache
> Version:        1.1.20 (at least)
> Summary:        any URL-based ACLs can be bypassed using
>                 simple rewriting
> Impact:         renders any access control based on url_regex
>                 and/or urlpath_regex unusable
>
> Details
> ~~~~~~~
> It is possible to bypass squid access control rules based on URL
> regular expressions.  Due to insufficient URL parsing it is possible
> to rewrite URL with hex escapes so that it is no longer matched
> against some rule but remains valid for replying server.

You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:

 netscape http://www.playboy.com                -> Access denied
 nslookup www.playboy.com
        ...
        Non-authoritative answer:
        Name:    wdc.express.playboy.com
        Addresses:  206.251.29.12, 205.216.146.201
        Aliases:  www.playboy.com, www.express.playboy.com

 netscape http://206.251.29.12                  -> OK!
 or
 netscape http://205.216.146.201                -> OK!

> ...
> Workaround
> ~~~~~~~~~~
> 1. Rewrite regexps to match any valid URL rewriting.  Seems tricky
> and result is unreadable by human (== easy to mistype).
>
> 2. Use some request-rewriting software at proxy port to canonify
> request and forward it to squid.  This breaks port- and IDENT-based
> rules.
>

I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
 PornoURLs.acl:
         ...
         www.playboy.com
         206.251.29.12
         205.216.146.201
         ...

Everybody: please don't tell my company sysadmin. :-))

> - - --
> "No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
>  Shall bring us to our goal, | Information Technology Division
>  But iron sacrifice          | Chelyabinsk State University
>  Of Body, Will and Soul."    | mailto:willy@csu.ac.ru  +7 3512 156770
>                    R.Kipling | http://www.csu.ac.ru/~willy  VVF1-RIPE

I agree.

Mauro
--
Mauro Lacy                   -              mauro@inter-soft.com
Intersoft Argentina          -              http://www.inter-soft.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic