| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Apr 2012 15:22:24 -0300 From: Gabriel Menezes Nunes <gab.mnunes@...il.com> To: bugtraq <bugtraq@...urityfocus.com> Subject: Corrections about Squid/McAfee URL Filtering Bypass Hi Security Community, I would like to correct the security vulnerabilities that I found recently. All my research was made against a McAfee Web Gateway 7, and, after I finished the proof of concept, I tested against Squid. Both are vulnerable to SSL Translation Attack (converting hostnames to IP). But Squid do not use the HOST field of HTTP protocol. But McAfee uses it. The latest default configuration of Squid blocks CONNECT methods for all ports but 443. McAfee allows CONNECT for 80 and 443. So the tests I made with Host header works ONLY for McAfee Web Gateway and the translation of GET methods to CONNECT methods will work ONLY for McAfee, because Squid blocks CONNECT for port 80. But, if the proxy allows this kind of connection, the proxy can be vulnerable (for translation of the HTTP methods) . Sorry for the misunderstanding. SSL CONNECT Translation Attack (Hostname to IP address): McAfee Web Gateway 7: Vulnerable Squid Proxy: Vulnerable GET TO CONNECT Translation Attack: McAfee Web Gateway 7: Vulnerable Squid Proxy: Not Vulnerable Using of Host field as a criteria for URL Filtering: McAfee Web Gateway 7: Vulnerable Squid Proxy: Not Vulnerable So, Squid is ONLY vulnerable to the attacks if the filtered site is using SSL. McAfee Web Gateway is vulnerable to all attacks. If anyone has access to other proxies like BlueCoat, test and send a feedback. Thanks Gabriel Menezes Nunes
Powered by blists - more mailing lists