[squid-users] R: Re: TCP_DENIED/411
Riccardo Castellani
ric.castellani at alice.it
Mon Nov 10 07:53:14 UTC 2014
I think the request is http/1.1 because I captured it and it shows in the
'Hypertext Transfer Protocol' in the POST section, the field 'Request version'
is HTTP/1.1
I understand Squid 2.7 is not able to understand http/1.1, but I
ask myself if 'content-length' field was missing in the http/1.1 request and
Squid was compliant to http/1.1( squid 3.x version ) , what Squid would return
'DENIED/411' again?
>----Messaggio originale----
>Da: squid3 at treenet.co.nz
>Data: 8-nov-2014 12.38
>A:
>Ogg: Re: [squid-users] TCP_DENIED/411
>
>-----
BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 8/11/2014 9:05 p.m., Riccardo
Castellani wrote:
>> Squid (we are using 2.7 version) checks inside http
request to
>> verify message is compliant to rfc but I ask myself if there is
way
>> to stop this check for specific site/client, al least temporarily…
>> to
exclude firewall problems too.
>>
>
>Don't, just don't. Seriously.
>
>The
proxy gets screwed over:
>https://www.owasp.org/index.php/Improper_Data_Validation>
>Then the origin
server risks getting screwed over:
>https://www.owasp.org/index.php/Cross-User_Defacement>https://www.owasp.org/index.php/Improper_Data_Validation
>
>Being a POST the application itself riks getting screwed over with
>infinite-length input:
>https://www.owasp.org/index.php/Improper_Data_Validation>https://www.owasp.org/index.php/Process_Control
>https://www.owasp.org/index.php/Unsafe_Reflection>
>And then side effects can
echo right back out to the proxy to trigger
>further rounds of nastiness at
random times in the future:
>https://www.owasp.org/index.php/HTTP_Response_Splitting>https://www.owasp.org/index.php/Cross-User_Defacement
>https://www.owasp.org/index.php/Cache_Poisoning>
>
>The 411 respone is
telling you that the client sending the proxy a
>request message is broken.
Many of the above attack side effects could
>be happening in other software
already as a result of this client
>Squid caught out. It really, really needs
to be fixed ASAP.
>
>
>Now, there is a small posibility that the client is
using HTTP/1.1
>Transfer-Encoding Squid-2.7 does not understand. The first fix
for
>that is to upgrade to a HTTP/1.1 compliant Squid (which 2.7 is *not*).
>
>Amos
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.22 (MingW32)
>
>iQEcBAEBAgAGBQJUXgDAAAoJELJo5wb/XPRjNZ0IANsinW8QFF8ssHA9SeepEBf3
>4T/219SAC7GvpTJsBkVC3pQiMxNvngwC6gS3ssTpzcFjWJUi0LI25BAvV7KjuyHk
>rpdQN0U2jAblAFthzFtX9xZHbkBF6pwbMNTLH+zB0imWMnZ8TdGpvjYU4onrh/DD
>pYxgZOqF8ThRIqaB5kjowCC+VO1wmAOa2TsUfTGDRks29wK8yAva2bmhpQrFOEFN
>En1iXuxcCSAhPkBMNM6a4a+h+zgPJkhKL4c0IXJ9I6BnAuJ0VxD8PA6eJTiTcIkK
>V2Lzp2acOLINoMw2HpYiKfn0+HuWRLNedOST4rFqP0YEENkYIqbCgQ/+4fTIZZU=
>=+k8q
>-----
END PGP SIGNATURE-----
>_______________________________________________
>squid-
users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users>
More information about the squid-users
mailing list