Re: [squid-users] double dots in domain name leads to web filter bypass from Erik Horn on 2003-01-21 (squid-users)

From: Erik Horn <Erik_Horn@dont-contact.us>
Date: Tue, 21 Jan 2003 16:58:02 -0800

marc.elsen@imec.be writes:
>
>
>Erik Horn wrote:
>>
>> We have found a situation with our combination of web filter and squid
>> that allows users to bypass the web filter by specifying a url such as
>> http://www.sex..com. This was tested with squid 2.5-stable1-20021115.
>>
>> Our web filter is an external device with two network connections. On
>the
>> network, it sits between the users and the proxy, filtering requests as
>> they are sent to the proxy. In our case, our proxy also has two network
>> connections, one connecting to the filter and the other is connected to
>> the internet. This results in all requests from the users being
>filtered,
>> while the requests from the proxy to the internet are not.
>>
>> The problem is that when a user requests the url http://www.sex..com,
>the
>> filter does not recognize the domain as a blocked domain and passes it
>to
>> the proxy. Squid removes the extra dot and forwards the request as
>> http://www.sex.com and the page is returned to the user.
>
> Do you mean that the filter , is the first talking point for the
> user's browser ?
>
That is correct.
>
> I mean, such scheme's could be easily prevented by first 'using' SQUID
> and then the filter in your Internet access chain.

This can create a condition where an object can enter the cache before it
is blocked by the filter and then remain in the cache after it has been
blocked by the filter.

Another option would be to filter both sides of the proxy, but that would
increase the load on the filter 50-70%.
>
> In my case I use squidguard as a redirector.
>
> Squid's behavior is preferential for me for the dot cases ,
> in the sense that it donates 'normalized urls' to squidguard.

In this particular case, if it wasn't normalized, then it should be
rejected because of the invalid domain name. I do see your point where it
would be handy when filtering with a redirector.
>
> The result is that such syntaxes can not be used to bypass
> my filter , hence for my configuration this does
> not pose any problem.
>
> M.
>
Thanks,

Erik
Received on Tue Jan 21 2003 - 17:58:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:46 MST