lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 21 Apr 2012 11:09:14 -0300
From: Gabriel Menezes Nunes <gab.mnunes@...il.com>
To: Amos Jeffries <amos@...enet.co.nz>
Cc: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Squid URL Filtering Bypass

Hi,

I tested against a server that I do not have access to the config
file, but I did some tests in a new installation of Squid and the acl
that allows CONNECT only in the SSL_PORTS works well for the CONNECT
to GET translation attack, because the CONNECT method will not work
for port 80. But the method of converting Host to IP still works.
Squid do a better job than McAfee Web Gateway.
But it is still possible to access any site with SSL enabled, like
GMail, Facebook and Youtube(known sites that are filtered in most
companies).
Another possible attack is to find a web proxy in the internet that
allows SSL connection(there are several of them in Google!). This way,
the attacker will access the normal sites (port 80) through this web
proxy and the web proxy through Squid.
McAfee Web Gateway blocks several of this web proxies in regular
configuration. But the appliance is vulnerable to the attacks
mentioned.
One radical method is to block any connection with just the IP
address. Force the user to use DNS hostnames. I do not know if it is
practical, but it will stop the attack.
Many people tell that it is not a attack, it is normal working of SSL
CONNECT Tunnel, but I guess if you block a site in your
institution/company and the users can access this site, it is a
vulnerability! So, why did you install a proxy, if you can't block
anything?
People will waste your bandwidth with videos, access porn and malware
sites without a problem. For me, it is a serious vulnerability.

Thanks for the feedback and the discussion.

Gabriel Menezes Nunes

> Can you please email these details and the squid.conf used to find it to
> the security bugs reporting address bugs at squid-cache.org.
>
> This appears to be an aspect of same-origin bypass (CVE-2009-0801) or
> something closely related.
>
> Thank You
> Amos Jeffries
> Squid Software Foundation
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ