tis 2006-06-06 klockan 19:23 -0400 skrev Bernard Barton: > I've been informed by our security department that we have two > vulnerabilities > on a squid reverse proxy I have running. It's running squid-2.5.STABLE3 on > Red Hat AS 4.0. The first issue concerns squid identifying itself on > port 80. > If you telnet to the squid proxy on port 80, then type "get /", squid > returns > the message "Server: squid/2.5.STABLE3 " (See Fig. 1) > You can see that it clearly identifies itself as a SQUID Proxy version > 2.5.Stable3. Yes, as mandated by the RFCs... I don't agree this is a vulnerability. But the upcoming 2.6 release do have a config option to not reveal the version number for those who are paranoid about these things. Be warned however that hiding version numbers does not increase security at all, only makes auditing and error tracing harder. The bad guys simply throws all the available exploits at the server port anyway and doesn't really care about the version number, so in practice the only effect you have from disabling the version number is that you can't use automated audit tools in your network in a nice and ordered manner. > The second issue concerns using telnet to connect to connect to port 80 > on the > same squid proxy server, and issuing a "CONNECT localhost:22 HTTP/1.0 ". > You can see in Fig. 2 listed below that this connects to ssh on port 22: Then you have removed the access checks found in the default squid.conf shipped with Squid which is there just to block this kind of abuse. You should be very careful with where you allow CONNECT to. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
