Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Simple way to bypass squid ACLs

From: mauro () INTER-SOFT COM (Mauro Lacy)
Date: Mon, 23 Feb 1998 13:08:41 -0300

Vitaly V. Fedrushkov wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Good $daytime,

Software:       Squid Internet Object Cache
Version:        1.1.20 (at least)
Summary:        any URL-based ACLs can be bypassed using
                simple rewriting
Impact:         renders any access control based on url_regex
                and/or urlpath_regex unusable

Details
~~~~~~~
It is possible to bypass squid access control rules based on URL
regular expressions.  Due to insufficient URL parsing it is possible
to rewrite URL with hex escapes so that it is no longer matched
against some rule but remains valid for replying server.


You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:

 netscape http://www.playboy.com                -> Access denied
 nslookup www.playboy.com
        ...
        Non-authoritative answer:
        Name:    wdc.express.playboy.com
        Addresses:  206.251.29.12, 205.216.146.201
        Aliases:  www.playboy.com, www.express.playboy.com

 netscape http://206.251.29.12                  -> OK!
 or
 netscape http://205.216.146.201                -> OK!


...
Workaround
~~~~~~~~~~
1. Rewrite regexps to match any valid URL rewriting.  Seems tricky
and result is unreadable by human (== easy to mistype).

2. Use some request-rewriting software at proxy port to canonify
request and forward it to squid.  This breaks port- and IDENT-based
rules.



I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
 PornoURLs.acl:
         ...
         www.playboy.com
         206.251.29.12
         205.216.146.201
         ...

Everybody: please don't tell my company sysadmin. :-))


- - --
"No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
 Shall bring us to our goal, | Information Technology Division
 But iron sacrifice          | Chelyabinsk State University
 Of Body, Will and Soul."    | mailto:willy () csu ac ru  +7 3512 156770
                   R.Kipling | http://www.csu.ac.ru/~willy  VVF1-RIPE


I agree.

Mauro
--
Mauro Lacy                   -              mauro () inter-soft com
Intersoft Argentina          -              http://www.inter-soft.com
Previous By Date Next
Previous By Thread Next

Current thread: