[Nottingham] apache or squid for proxying?
Mike Cardwell
nlug at lists.grepular.com
Wed Oct 14 23:26:24 UTC 2009
Martin wrote:
>>>>> The difference is this. A java applet can only make a straight tcp
>>>>> socket connection to the web server it came from, to prevent obvious
>>>>> abuse vectors.
>>>>>
>>>>> If you have a transparent web proxy, it can connect to any web server it
>>>>> chooses.
>>>> Here's a description of the issue: https://www.kb.cert.org/vuls/id/435052
>
> Crazy thought... Would a transparent proxy that then works through a
> non-transparent proxy defeat that exploit?
>
> PCs -- (lan) --> transparent proxy ----> proxy (& gateway) ----> internet
>
> You then still get the advantage of not having to change any settings on
> the PCs already set up on an internal network.
Nah, that wouldn't make any difference. The hole would still be open.
This is all theoretical anyway, I'm not sure if it is being actively
exploited anywhere. I know if I had an hour spare I could write an
applet to exploit it pretty easily though. I work by the theory that if
I can do it, there's 10's of thousands of evil hackers out there that
can do it better.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
More information about the Nottingham
mailing list