-----BEGIN PGP SIGNED MESSAGE----- Good $daytime, Software: Squid Internet Object Cache Version: 1.1.20 (at least) Summary: any URL-based ACLs can be bypassed using simple rewriting Impact: renders any access control based on url_regex and/or urlpath_regex unusable Details ~~~~~~~ It is possible to bypass squid access control rules based on URL regular expressions. Due to insufficient URL parsing it is possible to rewrite URL with hex escapes so that it is no longer matched against some rule but remains valid for replying server. Example ~~~~~~~ squid.conf: ... acl PornoURLs url_regex "/var/lib/squid/etc/PornoURLs.acl" ... http_access deny PornoURLs ... PornoURLs.acl: ... aha.ru.*/~sands/ ... netscape http://www.aha.ru/~sands/ -> Access denied netscape http://www.aha.ru/~%73ands/ -> 200 OK _BUT_ http://www.ravage.com/plypage/html/nude.html -> Access denied http://www.ravage.com/plypage/html/%75%6ede.html -> 404 Object Not Found Impact ~~~~~~ Any access restrictions based on such ACLs can be easily broken by clients. In my case it can be used for acceptable usage policy (AUP) violation. Workaround ~~~~~~~~~~ 1. Rewrite regexps to match any valid URL rewriting. Seems tricky and result is unreadable by human (== easy to mistype). 2. Use some request-rewriting software at proxy port to canonify request and forward it to squid. This breaks port- and IDENT-based rules. Other software ~~~~~ ~~~~~~~~ As you can see, result depends on server implementation. RFC1738 says MAY on escaping printable characters. Also it is stated that such escapes may change URL semantics. None the less, any other software that uses URL matching is about to be checked. Thanks for your time. Regards, Willy. - - -- "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov Shall bring us to our goal, | Information Technology Division But iron sacrifice | Chelyabinsk State University Of Body, Will and Soul." | mailto:willyat_private +7 3512 156770 R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: koi8 iQCVAwUBNOzyUzslK91NCq/tAQHQ5QQAksWEioRWwwowl1TIHaVimE2i5AxEAYw4 3qOSJYI7bY2+0pM1R+1By+A8sWU6cPpvetNopO7DhRD/ytX01UiImoMfvw1vg5ET VAmIPMI0AI/O5fvkjXoLtJBsDaWc2t51NE4Z9Q6NHn6tnjTIIX1toSNJKxylZL0L xn7Tr3KnSXI= =6k0i -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:47 PDT