Kinkie wrote:
> On Mon, May 18, 2009 at 1:05 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Both of these are non-standard headers created by microsoft.
>>
>> These are both weird ones. We seem to need them, but only because they need
>> to be stripped away in certain circumstances.
>>
>> The Translate: header is the trickiest. After reading the docs it appears we
>> should be always stripping it away for security. It's entire purpose is to
>> perform code disclosure 'attacks' on targeted dynamic sites. With perhapse a
>> fast-ACL to allow admins to use it and control the requests using it when
>> they really need to.
>>
>> Pending any objections I'll add as registered headers in 3.0 and the above
>> handling for Translate in 3.1.
>
> Do you have any reference document to point me to?
>
> +1 to registering them, but I'd like to understand a bit more before
> default-stripping.
>
http://trac2.assembla.com/Nikto_2/ticket/21
http://msdn.microsoft.com/en-us/library/cc250063(PROT.10).aspx
Looking a lot closer than the doc page it seems to be buried in WebDAV.
I get hints that it may be needed. Which screws any hope of closing that
hole in the general external case.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7Received on Mon May 18 2009 - 12:33:28 MDT
This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT