Re: [squid-users] Two security questions...

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Wed, 07 Jun 2006 05:41:39 +0200

tis 2006-06-06 klockan 19:23 -0400 skrev Bernard Barton:
> I've been informed by our security department that we have two
> vulnerabilities
> on a squid reverse proxy I have running. It's running squid-2.5.STABLE3 on
> Red Hat AS 4.0. The first issue concerns squid identifying itself on
> port 80.
> If you telnet to the squid proxy on port 80, then type "get /", squid
> returns
> the message "Server: squid/2.5.STABLE3 " (See Fig. 1)

> You can see that it clearly identifies itself as a SQUID Proxy version
> 2.5.Stable3.

Yes, as mandated by the RFCs... I don't agree this is a vulnerability.
But the upcoming 2.6 release do have a config option to not reveal the
version number for those who are paranoid about these things. Be warned
however that hiding version numbers does not increase security at all,
only makes auditing and error tracing harder. The bad guys simply throws
all the available exploits at the server port anyway and doesn't really
care about the version number, so in practice the only effect you have
from disabling the version number is that you can't use automated audit
tools in your network in a nice and ordered manner.

> The second issue concerns using telnet to connect to connect to port 80
> on the
> same squid proxy server, and issuing a "CONNECT localhost:22 HTTP/1.0 ".
> You can see in Fig. 2 listed below that this connects to ssh on port 22:

Then you have removed the access checks found in the default squid.conf
shipped with Squid which is there just to block this kind of abuse. You
should be very careful with where you allow CONNECT to.

Regards
Henrik

Received on Tue Jun 06 2006 - 21:41:43 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:01 MDT