[squid-users] FTP PUT Denial of Service, workaround

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 19 Sep 2001 09:05:36 +0200

Here is a workaround to the FTP PUT related denial of service issue
recently found in Squid.

Put this before the first "http_access allow" line in your squid.conf:

acl FTP protocol ftp
acl PUT method PUT
http_access deny FTP PUT

This will deny any attempts in uploading FTP objects via Squid.

Or alternatively, if you need to allow your users to upload FTP objects
you can try the following

acl FTP protocol ftp
acl PUT method PUT
acl directory url_regex /$ /; /?
http_access deny FTP PUT directory

but it is quite likely this does not cover all possible cases, so if you
need to allow FTP PUT and have malicious users you better patch your
Squid for the problem, or get the current Squid-2.4 nighly snapshot from
http://www.squid-cache.org/Versions/v2/2.4/ (the snapshot also contains
a couple of other minor bugfixes not yet mentioned on the bugs page)

Henrik Nordstrom
Squid Hacker
Received on Wed Sep 19 2001 - 01:05:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST