Vitaly V. Fedrushkov wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Good $daytime, > > Software: Squid Internet Object Cache > Version: 1.1.20 (at least) > Summary: any URL-based ACLs can be bypassed using > simple rewriting > Impact: renders any access control based on url_regex > and/or urlpath_regex unusable > > Details > ~~~~~~~ > It is possible to bypass squid access control rules based on URL > regular expressions. Due to insufficient URL parsing it is possible > to rewrite URL with hex escapes so that it is no longer matched > against some rule but remains valid for replying server. You can also replace the URL by its numerical IP address(at least this works for the proxy of my company) eg.: netscape http://www.playboy.com -> Access denied nslookup www.playboy.com ... Non-authoritative answer: Name: wdc.express.playboy.com Addresses: 206.251.29.12, 205.216.146.201 Aliases: www.playboy.com, www.express.playboy.com netscape http://206.251.29.12 -> OK! or netscape http://205.216.146.201 -> OK! > ... > Workaround > ~~~~~~~~~~ > 1. Rewrite regexps to match any valid URL rewriting. Seems tricky > and result is unreadable by human (== easy to mistype). > > 2. Use some request-rewriting software at proxy port to canonify > request and forward it to squid. This breaks port- and IDENT-based > rules. > I suppose that in this case you have to add the numerical IP of the URL in the ACL. eg.: PornoURLs.acl: ... www.playboy.com 206.251.29.12 205.216.146.201 ... Everybody: please don't tell my company sysadmin. :-)) > - - -- > "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov > Shall bring us to our goal, | Information Technology Division > But iron sacrifice | Chelyabinsk State University > Of Body, Will and Soul." | mailto:willyat_private +7 3512 156770 > R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE I agree. Mauro -- Mauro Lacy - mauro@inter-soft.com Intersoft Argentina - http://www.inter-soft.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:08 PDT