[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Simple way to bypass squid ACLs
From: Mauro Lacy <mauro () INTER-SOFT ! COM>
Date: 1998-02-23 16:08:41
[Download RAW message or body]
Vitaly V. Fedrushkov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Good $daytime,
>
> Software: Squid Internet Object Cache
> Version: 1.1.20 (at least)
> Summary: any URL-based ACLs can be bypassed using
> simple rewriting
> Impact: renders any access control based on url_regex
> and/or urlpath_regex unusable
>
> Details
> ~~~~~~~
> It is possible to bypass squid access control rules based on URL
> regular expressions. Due to insufficient URL parsing it is possible
> to rewrite URL with hex escapes so that it is no longer matched
> against some rule but remains valid for replying server.
You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:
netscape http://www.playboy.com -> Access denied
nslookup www.playboy.com
...
Non-authoritative answer:
Name: wdc.express.playboy.com
Addresses: 206.251.29.12, 205.216.146.201
Aliases: www.playboy.com, www.express.playboy.com
netscape http://206.251.29.12 -> OK!
or
netscape http://205.216.146.201 -> OK!
> ...
> Workaround
> ~~~~~~~~~~
> 1. Rewrite regexps to match any valid URL rewriting. Seems tricky
> and result is unreadable by human (== easy to mistype).
>
> 2. Use some request-rewriting software at proxy port to canonify
> request and forward it to squid. This breaks port- and IDENT-based
> rules.
>
I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
PornoURLs.acl:
...
www.playboy.com
206.251.29.12
205.216.146.201
...
Everybody: please don't tell my company sysadmin. :-))
> - - --
> "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov
> Shall bring us to our goal, | Information Technology Division
> But iron sacrifice | Chelyabinsk State University
> Of Body, Will and Soul." | mailto:willy@csu.ac.ru +7 3512 156770
> R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE
I agree.
Mauro
--
Mauro Lacy - mauro@inter-soft.com
Intersoft Argentina - http://www.inter-soft.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic