[squid-users] TCP_DENIED/411

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 8 11:38:40 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/11/2014 9:05 p.m., Riccardo Castellani wrote:
> Squid (we are using 2.7 version) checks inside http request to
> verify message is compliant to rfc but I ask myself if there is way
> to stop this check for specific site/client, al least temporarily…
> to exclude firewall problems too.
> 

Don't, just don't. Seriously.

The proxy gets screwed over:
https://www.owasp.org/index.php/Improper_Data_Validation

Then the origin server risks getting screwed over:
https://www.owasp.org/index.php/Cross-User_Defacement
https://www.owasp.org/index.php/Improper_Data_Validation

Being a POST the application itself riks getting screwed over with
infinite-length input:
https://www.owasp.org/index.php/Improper_Data_Validation
https://www.owasp.org/index.php/Process_Control
https://www.owasp.org/index.php/Unsafe_Reflection

And then side effects can echo right back out to the proxy to trigger
further rounds of nastiness at random times in the future:
https://www.owasp.org/index.php/HTTP_Response_Splitting
https://www.owasp.org/index.php/Cross-User_Defacement
https://www.owasp.org/index.php/Cache_Poisoning


The 411 respone is telling you that the client sending the proxy a
request message is broken. Many of the above attack side effects could
be happening in other software already as a result of this client
Squid caught out. It really, really needs to be fixed ASAP.


Now, there is a small posibility that the client is using HTTP/1.1
Transfer-Encoding Squid-2.7 does not understand. The first fix for
that is to upgrade to a HTTP/1.1 compliant Squid (which 2.7 is *not*).

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXgDAAAoJELJo5wb/XPRjNZ0IANsinW8QFF8ssHA9SeepEBf3
4T/219SAC7GvpTJsBkVC3pQiMxNvngwC6gS3ssTpzcFjWJUi0LI25BAvV7KjuyHk
rpdQN0U2jAblAFthzFtX9xZHbkBF6pwbMNTLH+zB0imWMnZ8TdGpvjYU4onrh/DD
pYxgZOqF8ThRIqaB5kjowCC+VO1wmAOa2TsUfTGDRks29wK8yAva2bmhpQrFOEFN
En1iXuxcCSAhPkBMNM6a4a+h+zgPJkhKL4c0IXJ9I6BnAuJ0VxD8PA6eJTiTcIkK
V2Lzp2acOLINoMw2HpYiKfn0+HuWRLNedOST4rFqP0YEENkYIqbCgQ/+4fTIZZU=
=+k8q
-----END PGP SIGNATURE-----


More information about the squid-users mailing list