-----BEGIN PGP SIGNED MESSAGE----- In message <E0zRAWY-0003iT-00at_private>, Mnemonix writes: >Okay - to make everything more clear > > > >Firstly it seems that most web-based proxies, not just MS Proxy, are >susceptible to this kind of attack. Thanks to Greg Jones and others for >doing some testing on this. > It is true that most improperly configured web proxy servers can be exploited to allow you to access any service on a remote system. The key statement here is "improperly configured". At a previous job at a network equipment manufacturer, I was responsible to the administration of the web servers and proxies. I installed rules on the proxy server that indicated what ports I would allow people to connect to on remote systems. The proxy was configured to allow connections only to ports 70,80-89,8000-8090 on the remote servers (I think that was all, but my memory may have missed a few). If a user attempted to access a server that was running on a different port, they would get a message indicating that access was being denied to this server/port and that if they needed access, they should contact "The Web Police". We could then determine if a special case rule was necessary to allow access. This is a reminder that if your firewall policy is to deny anything that is not specifically allowed, you need to remember to implement this exact same policy on your proxy server if you wish to maintain security. I would also recommend that you do NOT run a proxy server on port 80. Pick some other port in the 81-89 range and ensure that your proxy is configured to allow connections from inside addresses only (even if you have installed packet filtering rules to do the same). I always like to assume that everything else is broken and repeat the rules where I can. Marc - -- Marc D. Behr mbehrat_private SecurePipe Communications, LLC PGP Key ID: 0x0D8A666F Fingerprint16: 0B E0 30 14 E0 CF 3C 4C D6 37 87 E2 D6 E5 88 E0 -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNh4CLdnuRAINimZvAQEpQAf/ZlO76maXS/CBKyBAixONlD3uGFuQHZLG PsT2fAhcPbgLwNmqA+NcsQPeFH5eK1jj1iodQ2vBRfoS8pNDMpLqMbGS5E8pxfwX A+PPUymvqy/weyD0gvvnpecjOtbbjkINWQJDVMafaZxBoUr46oRAePdfD2H8l6ID s+taFT08V9FelBfbqGvNcG0kaDkUQ64oopEfA8dEd++QlSW0uAVoRcG6m52G1jXn uz9ejxwH6cXftDLDcp0yn3t2lydaH8kJsDNwxrfO9PavT/Ma6T7aaJNC1fiWLTv9 +WrFHqvjTvJ0uoVfp9ftSvwFh4qRXzbYOheYvi/qbcr2yr8MO3Nj1w== =Q3Nu -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:07 PDT