[TriLUG] I want to build an HTTP Proxy for Home

Mike Johnson mike at enoch.org
Mon Aug 2 14:45:32 EDT 2004 

Aaron S. Joyner [aaron at joyner.ws] wrote:

> I think the concern is really that a minor could use the %00 trick to 
> bypass the squidguard filter .  It has been suggested on the web that 
> you could use a URL something like http://safesite.com%00@www.trilug.org 
> and squidGuard would interpret this as http://safesite.com - thus 
> allowing you access.  Unfortunately, that's just now how it works.  
> People have been confusing two different vulnerabilities with that 
> example.  You'd really have to have the URL built into the path of the 
> request - and not in the domain name part.  This vulnerability is not 
> going to allow you to bypass a domain-based filter (i.e. filters that 
> reference porn.com are not going to be bypassed by this to allow you 
> access to that site).  It briefly may have allowed you to bypass an 
> expression-based filter, one that forbid the word "bad" in this url, for 
> example: http://www.example.com/%00test/bad.html

Yes.  The null byte has to occur in the path on the server, not in the
name itself.  The specific instance I was looking into was bypassing
wildcard blocks.  For instance, a filter denying access to a URL with
the word 'nude' in the path:
http://www.example.com/nude.jpg
That was blocked by the wildcard in place.  However:
http://www.example.com/%00nude.jpg
would allow me access to the naughty jpg.
 
> For what it's worth, I think the actual vulnerability they're 
> referencing was due to the underlying mechanisms that Squid works 
> against, and I do believe those are currently resolved.  I have tested 
> the Intrex filter to be sure, and I was unable to bypass the filter with 
> either of the above exploit types.

Do y'all use wildcard filters, such as the example I gave above?  If so,
is the example I gave above blocked?
 
> The really amusing core of the matter is, the people you're usually 
> trying to filter aren't the type of folks that exploit null-character 
> string vulnerabilities.  :)  Now granted, there are the occasional 
> exceptions to that rule, but by and large that's the case.  In an 
> Intrex-style environment we have to cover all the bases to be sure (we 
> do have some corporate clients that filter their employees w/ our 
> filtering software), but in the case of the original poster...  If my 
> child discovers and starts abusing a method to get around your filtering 
> software, after disciplining him for breaking the rules and educating 
> him on why objectionable content is objectionable... I'll be taking him 
> out for ice cream to celebrate his first good hack.  :)  An extra scoop 
> if he came up with the sploit on his own.

Please understand that I was not trying to say 'squidguard is useless
because it can't protect against X'.  I was truely asking if there was a
solution for the problem.  I am not implementing this for myself, but
helping someone else.  And yes, I'm being deliberatly vague about the
environment I'm dealing with.

Mike
-- 
"Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

More information about the TriLUG mailing list