[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAFm=iwLQB3zhFzyvhPmsMN0Nin7SbWCaZE5VFWbN29keUkCn+A@mail.gmail.com>
Date: Sat, 21 Apr 2012 11:09:14 -0300
From: Gabriel Menezes Nunes <gab.mnunes@...il.com>
To: Amos Jeffries <amos@...enet.co.nz>
Cc: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Squid URL Filtering Bypass
Hi,
I tested against a server that I do not have access to the config
file, but I did some tests in a new installation of Squid and the acl
that allows CONNECT only in the SSL_PORTS works well for the CONNECT
to GET translation attack, because the CONNECT method will not work
for port 80. But the method of converting Host to IP still works.
Squid do a better job than McAfee Web Gateway.
But it is still possible to access any site with SSL enabled, like
GMail, Facebook and Youtube(known sites that are filtered in most
companies).
Another possible attack is to find a web proxy in the internet that
allows SSL connection(there are several of them in Google!). This way,
the attacker will access the normal sites (port 80) through this web
proxy and the web proxy through Squid.
McAfee Web Gateway blocks several of this web proxies in regular
configuration. But the appliance is vulnerable to the attacks
mentioned.
One radical method is to block any connection with just the IP
address. Force the user to use DNS hostnames. I do not know if it is
practical, but it will stop the attack.
Many people tell that it is not a attack, it is normal working of SSL
CONNECT Tunnel, but I guess if you block a site in your
institution/company and the users can access this site, it is a
vulnerability! So, why did you install a proxy, if you can't block
anything?
People will waste your bandwidth with videos, access porn and malware
sites without a problem. For me, it is a serious vulnerability.
Thanks for the feedback and the discussion.
Gabriel Menezes Nunes
> Can you please email these details and the squid.conf used to find it to
> the security bugs reporting address bugs at squid-cache.org.
>
> This appears to be an aspect of same-origin bypass (CVE-2009-0801) or
> something closely related.
>
> Thank You
> Amos Jeffries
> Squid Software Foundation
>
Powered by blists - more mailing lists