Hi, I tested against a server that I do not have access to the config file, but I did some tests in a new installation of Squid and the acl that allows CONNECT only in the SSL_PORTS works well for the CONNECT to GET translation attack, because the CONNECT method will not work for port 80. But the method of converting Host to IP still works. Squid do a better job than McAfee Web Gateway. But it is still possible to access any site with SSL enabled, like GMail, Facebook and Youtube(known sites that are filtered in most companies). Another possible attack is to find a web proxy in the internet that allows SSL connection(there are several of them in Google!). This way, the attacker will access the normal sites (port 80) through this web proxy and the web proxy through Squid. McAfee Web Gateway blocks several of this web proxies in regular configuration. But the appliance is vulnerable to the attacks mentioned. One radical method is to block any connection with just the IP address. Force the user to use DNS hostnames. I do not know if it is practical, but it will stop the attack. Many people tell that it is not a attack, it is normal working of SSL CONNECT Tunnel, but I guess if you block a site in your institution/company and the users can access this site, it is a vulnerability! So, why did you install a proxy, if you can't block anything? People will waste your bandwidth with videos, access porn and malware sites without a problem. For me, it is a serious vulnerability. Thanks for the feedback and the discussion. Gabriel Menezes Nunes > Can you please email these details and the squid.conf used to find it to > the security bugs reporting address bugs at squid-cache.org. > > This appears to be an aspect of same-origin bypass (CVE-2009-0801) or > something closely related. > > Thank You > Amos Jeffries > Squid Software Foundation >
