Dancer wrote:
> Note that the above can be done without 'CONNECT', and with 'GET'
> instead using a not dissimilar trick. I won't list it here, because it
> takes a small modicum of brain-power to work out. Why make it _too_ easy
> for people?
And why make one more example when all who "needs" to know how to do
such a thing already knows it. The subject has been discussed in depth
both here on Squid-users, and on BUGTRAQ. First abuses used CONNECT,
then others found that similar things could be done with POST
(especially the Squid implementation of it) and finally using GET.
It should be noted that most types of proxies can be abused in this
manner, not only HTTP proxies. It is also not a problem specific to
Squid but applies to all HTTP proxies.
-- Henrik Nordstrom Spare time Squid hackerReceived on Wed May 12 1999 - 18:40:35 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:16 MST