On Wed, 20 Jul 2005, Kinkie wrote:
IIRC we _do_ have provisions in place to avoid this kind of problems.
We do. For a start we refuse to forward NTLM or Negotiate authentication as mentioned in the paper (Scope of attack) completely eleminating the issue. And in addition we also send the Via header.
We also have quite strong protections from request smuggling/splitting, and relatively strong protections against response splitting as discussed by the two referenced papers.
Squid-3 still is a bit behind in these matters, but it will catch up.
Scope of the attack =================== *) Not all proxy servers honor NTLM authentication. Squid, for one, deliberately doesn't support NTLM (http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.14). Indeed, Squid seems to strip off the WWW-Authenticate header if it contains NTLM or Negotiate, thereby effectively disabling NTLM authentication between the client and the web server. But as mentioned above, there are some proxy servers that do support NTLM authentication, such as Sun Proxy 4.
*) The web server (IIS/6.0) must receive a Via-less request. The Microsoft implementation assumes that the Via header is always sent by a proxy server, and this is indeed mandated by the HTTP/1.1 RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt), section 14.45:
Regards Henrik
