Bypassing ACLs

From: <ganesh@dont-contact.us>
Date: Wed, 1 Oct 1997 04:04:03 +0530 (IST)

Hi,
        we use squid-1.1.10/Linux 2.0.30 as our campus-wide proxy
server. Since our bandwidth is quite low, we rely a lot on ACLs to keep
non-essential traffic from choking the link.
        Our ACL list looks something like this :
acl pictures url_regex "/usr/local/squid/etc/policy/pictures_deny.list"
acl pornsites dstdomain "/usr/local/squid/etc/policy/pornosites_deny.list"
http_access deny pictures
http_access deny pornsites
.... etc.
pictures_deny.list consists of a bunch of lines like
\.GIF$
\.gif$
\.jpg$ .... etc.
while pornsites_deny.list has the usual playboy.com etc.

Now, some bright guy figured out that the first one can be bypassed by
giving the URL
http://foo.bar.com/nudes/qwerty.jpg? rather than
http://foo.bar.com/nudes/qwerty.jpg

This can be remedied by changing the deny lines to
\.jpg\?*$ (or just \.jpg though this might restrict some legitimate URLs)
Any other such magic characters ? I suspect not.

Also, if bar.com itself is the pornsites list, it can by overcome by
http:/foo.ba\r.com/nudes/qwerty.jpg?
This works because gethostbyname and co. treat ba\r.com and bar.com as
identical. Try nslookup 'www.play\boy.com' - it works !

Although I haven't tried later versions, a cursory look through the Changelogs
didn't reveal anything that would have fixed the second problem. Searching
through the mailing list archive didnt yield anything related.

Could someone please post a patch for this problem ? Thanks in advance.

                                                        -- ganesh
Received on Tue Sep 30 1997 - 15:34:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:12 MST