Re: [squid-users] Security Concerns

From: Amos Jeffries <>
Date: Fri, 7 Nov 2008 13:19:00 +1300 (NZDT)

> On Thu, 2008-11-06 at 14:52 +0000, David Hurcomb wrote:
>> Hello,
>> I am running Squid on a Linux box which is also hosting a customer
>> database (Oracle).
>> I am concerned that by having the Proxy server on the same box as the
>> database that I am introducing an increased security risk.
>> e.g. an exploit in squid might mean that a hacker is able to gain access
>> to my customer database.
>> Assuming that my network is locked down so that the (external router)
>> firewall has blocked all WAN->LAN traffic to our network on all ports am
>> I correct in assuming that....
>> The only weakness is from an security exploit to squid being initiated
>> from inside our network.
>> The network user might potentially be duped to go to a boobytrapped web
>> page which has the potential to exploit a security weakness in squid
>> itself.
>> Thanks in advance for your answers, I would like to be able to sleep
>> soundly that my proxy server is not a security risk to my data.
> You did not ask any questions. In general, you are correct that adding
> applications to a server increases your security risks. Hopefully, the
> benefits of those applications outweigh the risks.
> In Squid's case, you can (and should) mitigate some of the risks by
> running Squid using a non-privileged user account which is different
> from the database user account. If Squid is compromised and Linux is
> not, you may lose connectivity but not the database.

There is a list of advisories against certain older Squid releases.

In the end it comes down to, use the latest Squid available (2.7.STABLE5
or 3.0.STABLE10) and be careful with the access controls you configure.

If you are in a security critical situation, stay away from transparent
interception. There are complicated but possible avenues for abusing
transparent proxies for web access (but none known that would affect
non-web software without a badly insecure config).

Received on Fri Nov 07 2008 - 00:19:06 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 07 2008 - 12:00:03 MST