Nikolai Gorchilov created TS-2954:
-------------------------------------
Summary: cache poisoning due to
proxy.config.http.use_client_target_addr = 1
Key: TS-2954
URL: https://issues.apache.org/jira/browse/TS-2954
Project: Traffic Server
Issue Type: Bug
Components: Cache, DNS
Reporter: Nikolai Gorchilov
Current implementation of proxy.config.http.use_client_target_addr opens a very
simple attack vector for cache poisoning in transparent forwarding mode.
An attacker (or malware installed on innocent end-user computer) puts a fake IP
for popular website like www.google.com or www.facebook.com in hosts file on PC
behind the proxy. Once an infected PC requests the webpage in question, a
cacheable fake response poisons the cache.
In order to prevent such scenarios (as well as [some
others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a
mechanism known as [Host Header Forgery
Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
In short, while requesting an URL from origin server IP as hinted by the
client, proxy makes independent DNS query in parallel in order to determine if
client supplied IP belongs to requested domain name. In case of discrepancy
between DNS and client IP, the transaction shall be flagged as non-cacheable to
avoid cache poisoning, while serving the fake response to the client.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
