I've been informed by our security department that we have two
vulnerabilities
on a squid reverse proxy I have running. It's running squid-2.5.STABLE3 on
Red Hat AS 4.0. The first issue concerns squid identifying itself on
port 80.
If you telnet to the squid proxy on port 80, then type "get /", squid
returns
the message "Server: squid/2.5.STABLE3 " (See Fig. 1)
Fig. 1
$ telnet 62.245.42.120 80
Trying 62.245.42.120...
Connected to 62.245.42.120.
Escape character is '^]'.
get /
HTTP/1.0 400 Bad Request
Server: squid/2.5.STABLE3
Mime-Version: 1.0
Date: Mon, 05 Jun 2006 13:45:50 GMT
Content-Type: text/html
Content-Length: 1216
Expires: Mon, 05 Jun 2006 13:45:50 GMT
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from www.superiorinfo.com
Proxy-Connection: close
You can see that it clearly identifies itself as a SQUID Proxy version
2.5.Stable3.
The second issue concerns using telnet to connect to connect to port 80
on the
same squid proxy server, and issuing a "CONNECT localhost:22 HTTP/1.0 ".
You can see in Fig. 2 listed below that this connects to ssh on port 22:
Fig. 2
$ telnet 62.245.42.120 80
Trying 62.245.42.120...
Connected to 62.245.42.120.
Escape character is '^]'.
CONNECT localhost:22 HTTP/1.0
HTTP/1.0 200 Connection established
SSH-2.0-OpenSSH_3.6.1p2
Protocol mismatch.
Connection closed by foreign host.
For the ssh connection issue I modified the hosts.deny and hosts.allow
files, which resolved the 2nd issue. Is there a way to NOT return the
"Server: squid/2.5.STABLE3" message as in Fig. 1 when connecting
to squid using telnet on port 80? And of less importance, is it possible
to prevent squid from allowing connecting to ssh on port 22 of the
localhost?
-Thanks
Received on Tue Jun 06 2006 - 17:23:55 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:01 MDT