Discussion Lists wrote:
Hi Tom, People should correct me if I am wrong, however a proxy server such as squid doesn't know the difference between a legitimate web request, and a malicious one. Both can, and in most cases are required to be compliant with various networking RFC's. A malformed GET request, for instance, done with just the right payload (no need to tweak it to work with squid), and aimed at a sufficiently vulnerable windows box/service is all it takes. Reverse-shell spawning payload would give the attacker unlimited to your machine at that point. Since all a proxy server does is forward web transactions, that service is nearly as vulnerable as if the box was sitting naked on the Internet. So without knowing more details, this comes down to a question of how well patched is your web service?
Hope that helps, Mark
Hello,
I have not (yet) used squid as a reverse proxy, but we had a similar discussion a couple of weeks ago in the office. A software vendor and the person responsible for the new service insisted using a reverse proxy for security reasons.
My point of view is similar with yours, any request with the "right" payload will hit the webserver regardless if a reverse proxy is used or not.
The only way to improve the situation could be a reverse proxy with filtering capabilities as provided by some firewall products.
When implementing a reverse proxy based on free software I can only think of squid or apache with mod_proxy but IMHO both will not filter the requests. Am I on the right track?
Regards,
Hendrik Voigtl�nder
