[19869] in bugtraq
Re: Raptor 6.5 http vulnerability (fwd)
daemon@ATHENA.MIT.EDU (Alexander Bochmann)
Tue Mar 27 11:43:09 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010327162140.B846@styx.gxis.de>
Date: Tue, 27 Mar 2001 16:21:40 +0200
Reply-To: Alexander Bochmann <ab@GXIS.DE>
From: Alexander Bochmann <ab@GXIS.DE>
X-To: Peter Robinson <peter@securegateway.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <OFEJLKCFCJHPEBBLLPBMOEGHCAAA.peter@securegateway.org>; from
peter@securegateway.org on Tue, Mar 27, 2001 at 10:16:55PM +1000
Hi,
...on Tue, Mar 27, 2001 at 10:16:55PM +1000, Peter Robinson wrote:
> Most http Proxy solutions (including squid and fw1) do this unless you
> specify otherwise.
> If you don't know what your doing... you don't know what your doing!!.
> Don't blame the software.....
Ok, I'm going to blame the documentation then ;)
It doesn't waste a word about the possibility to access the
http proxy as proxy from the outside interface; and although
one could think that poeple would consider this possibility,
I have yet to see one Raptor installation that has been guarded
against it.
Although it can be used as proxy, people (including me, although
I was aware that the http module can be used as proxy from the
inside interfaces) who just use the http module for transparent
connections seem to forget about the proxying abilities.
> This is NOT a bug, just a feature .. Often you want people to use their
> proxy to access web sites on other ports.
I know that it's a feature...
> Proxies should be set up correctly to permit incoming HTTP access by ip
> address and limited to what remote ports are allowed. The defaults are never
> adequate.
...but sometimes it seems, some reminders are needed.
> It hardly requires "brute force" The "setenv" LYNX/Unix default proxy are
> the same as the proxy settings in a browser like Netscape or I.E.
I know that it's the same, but it's easier to copy and paste text
output to messages... You want screenshots instead?
Also, what I was talking about as brute force was not using the
http module as proxy in itself, but the brute force would be to
try all IP addresses you would expect on the inside interface
to see, which one are responding to requests proxied through
the http module.
Alex.
