Next message: Tamer Sahin: "SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)"
this was off-list discussion, but I suspect it may be useful for others
on the list.
-C
--
Information Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
attached mail follows:
Well...
[csteele@ws47619 csteele]$ telnet viruswall 8080
Trying XXX.XXX.XXX.XXX...
Connected to viruswall.
Escape character is '^]'.
CONNECT mailserver:25 / HTTP/1.0
HTTP/1.0 403 Forbidden
Server: Squid/2.3.STABLE4
Mime-Version: 1.0
Date: Mon, 25 Feb 2002 21:55:38 GMT
Content-Type: text/html
Content-Length: 729
Expires: Mon, 25 Feb 2002 21:55:38 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from viruswall
Proxy-Connection: close
<HTML><HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL:
<A HREF="mailserver:25">mailserver:25</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Access Denied.
</STRONG>
<P>
Access control configuration prevents your request from
being allowed at this time. Please contact your service provider if
you feel this is incorrect.
</UL>
<P>Your cache administrator is <A HREF="mailto:webmaster">webmaster</A>.
<br clear="all">
<hr noshade size=1>
Generated Mon, 25 Feb 2002 21:55:38 GMT by viruswall (Squid/2.3.STABLE4)
</BODY></HTML>
Connection closed by foreign host.
We have VirusWall listening on port 8080, and then sending
non-viruslaced requests to a SmartFilter-enabled SQUID proxy. All
systems are Linux based -- most are Red Hat 6.2, with latest applicable
patches. We built squid ourselves to include SmartFilter.
Hopefully this helps...
Best Regarads
-C
On Mon, 2002-02-25 at 14:49, Peter Bieringer wrote:
> Hi
>
> --On Friday, February 22, 2002 07:57:33 AM -0600 "Corey J. Steele"
> <csteele@good-sam.com> wrote:
>
> > Trend's Interscan 3.6 running on Linux is not vulnerable to this
> > (we are using Interscan in conjunction with squid.)
>
> Are you sure? I've tested 3.6 Build 1182 and I found it's proceeding
> CONNECT without any problems, also to a remote mailserver:
>
> # telnet viruswall 80
> Trying 1.2.3.4...
> Connected to viwa.
> Escape character is '^]'.
> CONNECT mail.server.com:25 / HTTP/1.0
>
> HTTP/1.0 200 Connection established
> Proxy-agent: InterScan 2.0
>
> 220 mail.server.com ESMTP
> mail from: <userat_private>
> 250 ok
> rcpt to: <userat_private>
> 250 ok
> data
> 354 go ahead
> test
> .
> 250 ok 1014669994 qp 21827
> quit
> 221 mail.server.com
> Connection closed by foreign host.
>
>
> The only thing is that you have to type the CONNECT line quickly so
> use "nc" or copy and paste for that.
>
> You can solve this if you using squid as dispatcher and bypass
> Interscan for CONNECT (which we do on a customer installation).
>
>
> Peter
>
--
Information Security Analyst
Good Samaritan Society
e-mail: csteele@good-sam.com
voice: (605) 362-3899
PGP Key fingerprint = 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
This archive was generated by hypermail 2b30
: Tue Feb 26 2002 - 14:49:37 PST