|
POST comes from the http RFC, allowing to POST datas to websites (roughly).
By using POSTs requests on a misconfigured Squid Proxy, its pretty easy to establish a connection between Squid and any server/port.
This problem is due to a misconfiguration in squid.conf's access list. To solve this, you just have to well configure your Squid by adding a few lines on the Squid's access control part.
A fast way of doing it is defining the range of ports you allow with an acl element.
Squid knows as acl elements: "port" which is the destination port number.
Set the accessible ports, and then deny the others.
acl safe 80 21 443 8000-65535 # Safe ports
http_access deny !safe # Deny !Safe Ports
Then, you are sure noone will be able to access by the POST exploit any forbidden ports (or only if thoses are > 8000).
Of course, verify that you allow caching for only your customers, etc by theses lines :
acl all src 0.0.0.0/0.0.0.0
acl ourhosts src 192.168.0.0/255.255.0.0 # Here are your customers.
(yeah, acl allow ips, ports, time, and many other stuff...)
For more informations about access control lists... Please check the Squid projet site:
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.2
because they of course describe all the acl element you can have, and all the kind of denies you can do with it.
And finally, you may use Squid 2.x , because a few bugs that could be holes are corrected...
For instance , all sprintf replaced by snprintf. Again, check :
http://www.squid-cache.org/ because they'll describe better than me thoses new features.
by 4735
|
|