[TriLUG] I want to build an HTTP Proxy for Home

Aaron S. Joyner aaron at joyner.ws
Mon Aug 2 12:44:06 EDT 2004


Jon Carnes wrote:

>On Mon, 2004-08-02 at 11:52, Mike Johnson wrote:
>  
>
>>Jon, Aaron,
>>
>>Do y'all have fixes for this:
>>http://xforce.iss.net/xforce/xfdb/15583
>>
>>Or is it not that big of a deal for y'all?  I was looking at SquidGuard 
>>and ran across that vulnerability.  There doesn't seem to be a published
>>patch that I can find.
>>
>>Thanks,
>>Mike
>>    
>>
>
>I hadn't seen that one yet, but it seems like a minor irritant.
>
>If you are already "looking" at a site, then it's allowed in the ACL's.
>If the site is not allowed then you can't "look" at the site to be
>affected...
>
>The only problem would be if someone wanted to allow you to bypass the
>squidguard security they could put links on an allowed site with some
>"%00"'s... 
>Of course that site would soon be on the disallowed list. :-)
>
>If you were worried about that, then just include a rule that doesn't
>allow any site with the character sequence "%00" in the URL.
>
>Jo%00n Car%00nes
>
>
>  
>
I think the concern is really that a minor could use the %00 trick to 
bypass the squidguard filter .  It has been suggested on the web that 
you could use a URL something like http://safesite.com%00@www.trilug.org 
and squidGuard would interpret this as http://safesite.com - thus 
allowing you access.  Unfortunately, that's just now how it works.  
People have been confusing two different vulnerabilities with that 
example.  You'd really have to have the URL built into the path of the 
request - and not in the domain name part.  This vulnerability is not 
going to allow you to bypass a domain-based filter (i.e. filters that 
reference porn.com are not going to be bypassed by this to allow you 
access to that site).  It briefly may have allowed you to bypass an 
expression-based filter, one that forbid the word "bad" in this url, for 
example: http://www.example.com/%00test/bad.html

But this would require the explicit cooperation of the people running 
example.com, and (as John suggested) would most certainly get them 
listed in the domain black list (not that that's an appropriate long 
term solution, but it may have been used temporarily)... which brings me 
to my next point...

For what it's worth, I think the actual vulnerability they're 
referencing was due to the underlying mechanisms that Squid works 
against, and I do believe those are currently resolved.  I have tested 
the Intrex filter to be sure, and I was unable to bypass the filter with 
either of the above exploit types.

The really amusing core of the matter is, the people you're usually 
trying to filter aren't the type of folks that exploit null-character 
string vulnerabilities.  :)  Now granted, there are the occasional 
exceptions to that rule, but by and large that's the case.  In an 
Intrex-style environment we have to cover all the bases to be sure (we 
do have some corporate clients that filter their employees w/ our 
filtering software), but in the case of the original poster...  If my 
child discovers and starts abusing a method to get around your filtering 
software, after disciplining him for breaking the rules and educating 
him on why objectionable content is objectionable... I'll be taking him 
out for ice cream to celebrate his first good hack.  :)  An extra scoop 
if he came up with the sploit on his own.

Disclaimer: I have no kids, and don't suppose to offer good or valid 
parenting advice.  Perhaps I'd think differently if I had a few years 
experience dealing w/ the real live, eating, breathing, porn-surfing animal.

Aaron S. Joyner



More information about the TriLUG mailing list