Erik Horn wrote:
>
> We have found a situation with our combination of web filter and squid
> that allows users to bypass the web filter by specifying a url such as
> http://www.sex..com. This was tested with squid 2.5-stable1-20021115.
>
> Our web filter is an external device with two network connections. On the
> network, it sits between the users and the proxy, filtering requests as
> they are sent to the proxy. In our case, our proxy also has two network
> connections, one connecting to the filter and the other is connected to
> the internet. This results in all requests from the users being filtered,
> while the requests from the proxy to the internet are not.
>
> The problem is that when a user requests the url http://www.sex..com, the
> filter does not recognize the domain as a blocked domain and passes it to
> the proxy. Squid removes the extra dot and forwards the request as
> http://www.sex.com and the page is returned to the user.
Do you mean that the filter , is the first talking point for the
user's browser ?
I mean, such scheme's could be easily prevented by first 'using' SQUID
and then the filter in your Internet access chain.
In my case I use squidguard as a redirector.
Squid's behavior is preferential for me for the dot cases ,
in the sense that it donates 'normalized urls' to squidguard.
The result is that such syntaxes can not be used to bypass
my filter , hence for my configuration this does
not pose any problem.
M.
>
> In March, this was reported in bugzilla as bug #318, but it was closed
> because it was a "feature" and there were no known side effects. I plan
> make a new entry in bugzilla with this email attached.
>
> Hack/Fix:
>
> The URL is rewritten before ACLs are processed, therefore an ACL can not
> fix the problem. I worked around it by a combination of modifying the
> source code and an ACL. To fix the source code, edit src/url.c and search
> for "duplicate dots" and comment out the two lines following the comment:
>
> /* remove duplicate dots */
> while ((t = strstr(host, "..")))
> xmemmove(t, t + 1, strlen(t));
>
> Recompile and install.
>
> The following ACL is also needed to actually block the request:
>
> acl doubledot dstdom_regex \.\.
> http_access deny doubledot
>
> Without the code change, the ACL will have no effect.
>
> I consider this to be a bug because it can't be blocked with an ACL and
> the access.log entry shows the corrected URL instead of the original URL.
>
> Thanks,
>
> Erik
-- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)Received on Sat Jan 18 2003 - 03:41:50 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:43 MST