Re: [squid-users] SECURITY ALERT: Host: header forgery detected with today's BZR checkout from Amos Jeffries on 2011-08-15 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Aug 2011 01:56:18 +1200

On 15/08/11 23:52, Ralf Hildebrandt wrote:
> With today's BZR checkout (3.2-HEAD) I'm getting a lot of "SECURITY
> ALERT: Host: header forgery detected" with everyday requests:
>
> 2011/08/15 13:50:59.016| SECURITY ALERT: Host: header forgery detected from local=141.42.1.205:8080 remote=10.43.65.227:3266 FD 1312 flags=1 (amsprd0104.outlook.com:443 does not match amsprd0104.outlook.com)

We now forcibly detect CVE-2009-0801 vulnerability abuse. A few cases
have been found missing from the detection. Please apply these two
patches in this order:

http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11647.patch

http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-11649.patch

> 2011/08/15 13:50:59.016| client_side.cc(1579) keepaliveNextRequest: abandoning local=141.42.1.205:8080 remote=10.43.65.227:3266 FD 1312 flags=1

keep-alive on CONNECT requests after an error response (the one above)
is possible, but still has this one remaining bug. In your case it is
triggered by the above error, so will disappear again after those
patches go in.

NP: There is a patch trying to fix this. I'm looking for someone with
NTLM (most common and also most complex real-world test case) willing to
test on real traffic and confirm that it works (or not).

If anyone reading this needs NTLM + CONNECT (HTTPS over Squid) please
check out the last few comments on
http://bugs.squid-cache.org/show_bug.cgi?id=3213

> 2011/08/15 13:51:00.746| SECURITY ALERT: Host: header forgery detected from local=141.42.1.205:8080 remote=192.168.247.63:3900 FD 39 flags=1 (profpeak.avira-update.com does not match 89.105.213.24)
> 2011/08/15 13:51:00.752| SECURITY ALERT: Host: header forgery detected from local=141.42.1.205:8080 remote=192.168.247.63:3901 FD 1407 flags=1 (profpeak.avira-update.com does not match 89.105.213.24)

Detection seems to be working properly in this case.

"profpeak.avira-update.com does not match 89.105.213.24"

NP: I've had a few other private mentions about Avira. It seems you need
to check how/why that request is being made and fix something.
* If that is part of an internal redirect or HTTP loop to/from
internal update servers I suggest cache_peer doing a reverse-proxy and
avoiding the Host: trickery.
* If that is part of Avira being used as a chained proxy or via
url_redirector interface I suggest updating it to use the ICAP interface
with Squid.

If any problems remain or you have questions about the matches see the
(new in 3.2) debug_options 11,2 for full HTTP protocol trace.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10

Received on Mon Aug 15 2011 - 13:56:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 16 2011 - 12:00:02 MDT