[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Oct 29 17:29:26 UTC 2015


>On 10/28/2015 10:46 PM, Amos Jeffries wrote:
>> NP: these problems do not exist for forward proxies. Only for traffic
>> hijacking interceptor proxies.

On 29.10.15 09:05, Alex Rousskov wrote:
>For intercepted connections, Squid should, with an admin permission,
>connect to the intended IP address without validating whether that IP
>address matches the domain name (and without any side effects of such
>validation). In interception mode, the proxy should be as "invisible"
>(or as "invasive") as the admin wants it to be IMO -- all validations
>and protections should be optional. We could still enable them by
>default, of course.
>
>SslBumped CONNECT-to-IP tunnels are essentially intercepted connections
>as well, even if they are using forwarding (not intercepting) http_ports.

the "admin permission" is the key qestion here.  There's possible problem
where the malicious client can connect to malicious server, ask for any
server name and the malicious content could get cached by squid as a proper
response.

I guess most of admins do intercepting to avoid client configuration, not to
hide the proxies. 
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.


More information about the squid-users mailing list