[Nottingham] apache or squid for proxying?

Mike Cardwell nlug at lists.grepular.com
Wed Oct 14 17:48:45 UTC 2009


Mike Cardwell wrote:

>>>> Wouldn't a simple firewall rule to block direct connects to the proxy IP 
>>>> address thwart such maliciousness?
>>> That's the thing. The java app isn't making a direct connection to the 
>>> proxy IP. It is making a direct connection to the only IP it is allowed 
>>> to, the IP of the web server it came from. It is the fact that a 
>>> transparent proxy intercepts that connection which is what causes the hole.
>> OK, so:
>>
>> rogue website ---- proxy ---- home PC
>>
>> and so the java script running on the home PC uses that home PC as a 
>> proxy for the rogue website to do further nasties to the rest of the 
>> world anonymously... OK, but how is that any different for whether the 
>> proxy is there or not?
>>
>> Or is that just an example of something the proxy /cannot/ protect against?
> 
> Just to be clear, you can't do any of this with javascript. javascript 
> is entirely different to java.
> 
> The difference is this. A java applet can only make a straight tcp 
> socket connection to the web server it came from, to prevent obvious 
> abuse vectors.
> 
> If you have a transparent web proxy, it can connect to any web server it 
> chooses.

Here's a description of the issue: https://www.kb.cert.org/vuls/id/435052

It seems some proxy servers have actually managed to fix the issue. I'm 
not sure what the fix is, but I'm going to look it up anyway as it's 
interesting stuff. Squid is still listed as vulnerable though. Apache 
isn't even listed on that page.

-- 
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/



More information about the Nottingham mailing list