Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

X-RDate: Tue, 24 Feb 1998 10:55:11 +0500 (ESK)
Date: Mon, 23 Feb 1998 13:08:41 -0300
From: Mauro Lacy <mauro@inter-soft.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Simple way to bypass squid ACLs

Vitaly V. Fedrushkov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Good $daytime,
>
> Software:       Squid Internet Object Cache
> Version:        1.1.20 (at least)
> Summary:        any URL-based ACLs can be bypassed using
>                 simple rewriting
> Impact:         renders any access control based on url_regex
>                 and/or urlpath_regex unusable
>
> Details
> ~~~~~~~
> It is possible to bypass squid access control rules based on URL
> regular expressions.  Due to insufficient URL parsing it is possible
> to rewrite URL with hex escapes so that it is no longer matched
> against some rule but remains valid for replying server.

You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:

 netscape http://www.playboy.com                -> Access denied
 nslookup www.playboy.com
        ...
        Non-authoritative answer:
        Name:    wdc.express.playboy.com
        Addresses:  206.251.29.12, 205.216.146.201
        Aliases:  www.playboy.com, www.express.playboy.com

 netscape http://206.251.29.12                  -> OK!
 or
 netscape http://205.216.146.201                -> OK!

> ...
> Workaround
> ~~~~~~~~~~
> 1. Rewrite regexps to match any valid URL rewriting.  Seems tricky
> and result is unreadable by human (== easy to mistype).
>
> 2. Use some request-rewriting software at proxy port to canonify
> request and forward it to squid.  This breaks port- and IDENT-based
> rules.
>

I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
 PornoURLs.acl:
         ...
         www.playboy.com
         206.251.29.12
         205.216.146.201
         ...

Everybody: please don't tell my company sysadmin. :-))

> - - --
> "No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
>  Shall bring us to our goal, | Information Technology Division
>  But iron sacrifice          | Chelyabinsk State University
>  Of Body, Will and Soul."    | mailto:willy@csu.ac.ru  +7 3512 156770
>                    R.Kipling | http://www.csu.ac.ru/~willy  VVF1-RIPE

I agree.

Mauro
--
Mauro Lacy                   -              mauro@inter-soft.com
Intersoft Argentina          -              http://www.inter-soft.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: