httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Simple way to bypass squid ACLs (fwd)
Date Fri, 20 Feb 1998 19:12:27 GMT


---------- Forwarded message ----------
Date: Fri, 20 Feb 1998 09:04:33 +0100 (CET)
From: Arjan de Vet <Arjan.deVet@adv.IAEhv.nl>
To: squid-users@nlanr.net
Subject: Simple way to bypass squid ACLs (fwd)
Resent-Date: Fri, 20 Feb 1998 00:06:23 -0800 (PST)
Resent-From: squid-users@nlanr.net

Just found this on bugtraq.

Arjan

From: willy@CSU.AC.RU (Vitaly V. Fedrushkov)
Newsgroups: list.bugtraq
Subject: Simple way to bypass squid ACLs
Date: 20 Feb 1998 08:50:22 +0100
Message-ID: <Pine.LNX.3.96.980220075749.8859A-100000@apex.csu.ac.ru>
Reply-To: "Vitaly V. Fedrushkov" <willy@CSU.AC.RU>

-----BEGIN PGP SIGNED MESSAGE-----

Good $daytime,

Software:       Squid Internet Object Cache
Version:        1.1.20 (at least)
Summary:        any URL-based ACLs can be bypassed using
                simple rewriting
Impact:         renders any access control based on url_regex
                and/or urlpath_regex unusable


Details
~~~~~~~
It is possible to bypass squid access control rules based on URL
regular expressions.  Due to insufficient URL parsing it is possible
to rewrite URL with hex escapes so that it is no longer matched
against some rule but remains valid for replying server.


Example
~~~~~~~
squid.conf:
        ...
        acl PornoURLs url_regex "/var/lib/squid/etc/PornoURLs.acl"
        ...
        http_access     deny    PornoURLs
        ...

PornoURLs.acl:
        ...
        aha.ru.*/~sands/
        ...

netscape http://www.aha.ru/~sands/      -> Access denied
netscape http://www.aha.ru/~%73ands/    -> 200 OK

_BUT_

http://www.ravage.com/plypage/html/nude.html     -> Access denied
http://www.ravage.com/plypage/html/%75%6ede.html -> 404 Object Not Found

Impact
~~~~~~
Any access restrictions based on such ACLs can be easily broken by
clients.  In my case it can be used for acceptable usage policy (AUP)
violation.


Workaround
~~~~~~~~~~
1. Rewrite regexps to match any valid URL rewriting.  Seems tricky
and result is unreadable by human (== easy to mistype).

2. Use some request-rewriting software at proxy port to canonify
request and forward it to squid.  This breaks port- and IDENT-based
rules.


Other software
~~~~~ ~~~~~~~~
As you can see, result depends on server implementation.  RFC1738 says
MAY on escaping printable characters.  Also it is stated that such
escapes may change URL semantics.  None the less, any other software
that uses URL matching is about to be checked.

Thanks for your time.

  Regards,
  Willy.

- - --
"No easy hope or lies        | Vitaly "Willy the Pooh" Fedrushkov
 Shall bring us to our goal, | Information Technology Division
 But iron sacrifice          | Chelyabinsk State University
 Of Body, Will and Soul."    | mailto:willy@csu.ac.ru  +7 3512 156770
                   R.Kipling | http://www.csu.ac.ru/~willy  VVF1-RIPE

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: koi8

iQCVAwUBNOzyUzslK91NCq/tAQHQ5QQAksWEioRWwwowl1TIHaVimE2i5AxEAYw4
3qOSJYI7bY2+0pM1R+1By+A8sWU6cPpvetNopO7DhRD/ytX01UiImoMfvw1vg5ET
VAmIPMI0AI/O5fvkjXoLtJBsDaWc2t51NE4Z9Q6NHn6tnjTIIX1toSNJKxylZL0L
xn7Tr3KnSXI=
=6k0i
-----END PGP SIGNATURE-----


Mime
View raw message