Jon Carnes wrote:
On Mon, 2004-08-02 at 11:52, Mike Johnson wrote:I think the concern is really that a minor could use the %00 trick to bypass the squidguard filter . It has been suggested on the web that you could use a URL something like http://[EMAIL PROTECTED] and squidGuard would interpret this as http://safesite.com - thus allowing you access. Unfortunately, that's just now how it works. People have been confusing two different vulnerabilities with that example. You'd really have to have the URL built into the path of the request - and not in the domain name part. This vulnerability is not going to allow you to bypass a domain-based filter (i.e. filters that reference porn.com are not going to be bypassed by this to allow you access to that site). It briefly may have allowed you to bypass an expression-based filter, one that forbid the word "bad" in this url, for example: http://www.example.com/%00test/bad.html
Jon, Aaron,
Do y'all have fixes for this: http://xforce.iss.net/xforce/xfdb/15583
Or is it not that big of a deal for y'all? I was looking at SquidGuard and ran across that vulnerability. There doesn't seem to be a published
patch that I can find.
Thanks,
Mike
I hadn't seen that one yet, but it seems like a minor irritant.
If you are already "looking" at a site, then it's allowed in the ACL's. If the site is not allowed then you can't "look" at the site to be affected...
The only problem would be if someone wanted to allow you to bypass the
squidguard security they could put links on an allowed site with some
"%00"'s... Of course that site would soon be on the disallowed list. :-)
If you were worried about that, then just include a rule that doesn't allow any site with the character sequence "%00" in the URL.
Jo%00n Car%00nes
But this would require the explicit cooperation of the people running example.com, and (as John suggested) would most certainly get them listed in the domain black list (not that that's an appropriate long term solution, but it may have been used temporarily)... which brings me to my next point...
For what it's worth, I think the actual vulnerability they're referencing was due to the underlying mechanisms that Squid works against, and I do believe those are currently resolved. I have tested the Intrex filter to be sure, and I was unable to bypass the filter with either of the above exploit types.
The really amusing core of the matter is, the people you're usually trying to filter aren't the type of folks that exploit null-character string vulnerabilities. :) Now granted, there are the occasional exceptions to that rule, but by and large that's the case. In an Intrex-style environment we have to cover all the bases to be sure (we do have some corporate clients that filter their employees w/ our filtering software), but in the case of the original poster... If my child discovers and starts abusing a method to get around your filtering software, after disciplining him for breaking the rules and educating him on why objectionable content is objectionable... I'll be taking him out for ice cream to celebrate his first good hack. :) An extra scoop if he came up with the sploit on his own.
Disclaimer: I have no kids, and don't suppose to offer good or valid parenting advice. Perhaps I'd think differently if I had a few years experience dealing w/ the real live, eating, breathing, porn-surfing animal.
Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
