Aaron S. Joyner [EMAIL PROTECTED] wrote: > I think the concern is really that a minor could use the %00 trick to > bypass the squidguard filter . It has been suggested on the web that > you could use a URL something like http://[EMAIL PROTECTED] > and squidGuard would interpret this as http://safesite.com - thus > allowing you access. Unfortunately, that's just now how it works. > People have been confusing two different vulnerabilities with that > example. You'd really have to have the URL built into the path of the > request - and not in the domain name part. This vulnerability is not > going to allow you to bypass a domain-based filter (i.e. filters that > reference porn.com are not going to be bypassed by this to allow you > access to that site). It briefly may have allowed you to bypass an > expression-based filter, one that forbid the word "bad" in this url, for > example: http://www.example.com/%00test/bad.html
Yes. The null byte has to occur in the path on the server, not in the name itself. The specific instance I was looking into was bypassing wildcard blocks. For instance, a filter denying access to a URL with the word 'nude' in the path: http://www.example.com/nude.jpg That was blocked by the wildcard in place. However: http://www.example.com/%00nude.jpg would allow me access to the naughty jpg. > For what it's worth, I think the actual vulnerability they're > referencing was due to the underlying mechanisms that Squid works > against, and I do believe those are currently resolved. I have tested > the Intrex filter to be sure, and I was unable to bypass the filter with > either of the above exploit types. Do y'all use wildcard filters, such as the example I gave above? If so, is the example I gave above blocked? > The really amusing core of the matter is, the people you're usually > trying to filter aren't the type of folks that exploit null-character > string vulnerabilities. :) Now granted, there are the occasional > exceptions to that rule, but by and large that's the case. In an > Intrex-style environment we have to cover all the bases to be sure (we > do have some corporate clients that filter their employees w/ our > filtering software), but in the case of the original poster... If my > child discovers and starts abusing a method to get around your filtering > software, after disciplining him for breaking the rules and educating > him on why objectionable content is objectionable... I'll be taking him > out for ice cream to celebrate his first good hack. :) An extra scoop > if he came up with the sploit on his own. Please understand that I was not trying to say 'squidguard is useless because it can't protect against X'. I was truely asking if there was a solution for the problem. I am not implementing this for myself, but helping someone else. And yes, I'm being deliberatly vague about the environment I'm dealing with. Mike -- "Spare me your space-age technobabble Atilla The Hun!" -- Zapp Brannigan GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
