On 16.07.2012 14:42, Amos Jeffries wrote:
> On 13.07.2012 05:30, Tsantilas Christos wrote:
>>
>>> src/forward.cc:
>>> * It seems that selectPeerForIntercepted() is permitting pinned
>>> destinations to pass-thru when Host header is non-validated.
>>> Malicious intercepted clients now only need to send www-auth
>>> credentials for a connection-auth scheme (triggering pinning) to be
>>> able
>>> to make poisoning attacks on any followup pipelined request.
>>> eg:
>>> GET / HTTP/1.1
>>> Host: cahoots.server
>>> WWW-authenticate: NTLM fake
>>> \r\n
>>> GET /poisoned-URI/ HTTP/1.1
>>> Host: victim.site
>>
>> Inside selectPeerForIntercept there is the call:
>> client->validatePinnedConnection
>> Which checks if the host header is the correct one and if it is not
>> unpins the connection.
>>
>
> I've been considering this more and it appears that your point stands
> up well. This is something we need in 3.2.
>
> Would you mind applying the particular selectPeerForIntercepted()
> creation change separately as a new partial for the fix on bug 3579?
Meh. I meant bug 3478.
Amos
Received on Mon Jul 16 2012 - 02:43:06 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 12:00:03 MDT