COMMAND

    Squid Internet Object Cache

SYSTEMS AFFECTED

    Systems running squid 1.1.20 and 1.2beta15 (at least)

PROBLEM

    Vitaly V. Fedrushkov found a simple way to bypass squid ACLs.   It
    is possible  to bypass  squid access  control rules  based on  URL
    regular  expressions.   Due  to  insufficient  URL  parsing  it is
    possible to rewrite URL with hex  escapes so that it is no  longer
    matched against some rule  but remains valid for  replying server.
    Example follows.

    squid.conf:

        ...
        acl PornoURLs url_regex "/var/lib/squid/etc/PornoURLs.acl"
        ...
        http_access     deny    PornoURLs
        ...

    PornoURLs.acl:

        ...
        aha.ru.*/~sands/
        ...

        netscape http://www.aha.ru/~sands/      -> Access denied
        netscape http://www.aha.ru/~%73ands/    -> 200 OK

    _BUT_

        http://www.ravage.com/plypage/html/nude.html     -> Access denied
        http://www.ravage.com/plypage/html/%75%6ede.html -> 404 Object Not Found

    Any access restrictions based on such ACLs can be easily broken by
    clients.  Mauro Lacy added how you can also replace the URL by its
    numerical IP address, eg.:

        netscape http://www.playboy.com                -> Access denied
        nslookup www.playboy.com
                ...
                Non-authoritative answer:
                Name:    wdc.express.playboy.com
                Addresses:  206.251.29.12, 205.216.146.201
                Aliases:  www.playboy.com, www.express.playboy.com

        netscape http://206.251.29.12                  -> OK!
        netscape http://205.216.146.201                -> OK!

Everybody: please don't tell my company sysadmin. :-))

SOLUTION

    As you can see, result depends on server implementation.   RFC1738
    says MAY on escaping printable characters.  Also it is stated that
    such escapes may change URL  semantics.  None the less,  any other
    software that uses URL matching is about to be checked.

    1. Rewrite regexps to match any valid URL rewriting.  Seems tricky
       and result is unreadable by human (== easy to mistype).

    2. Use some request-rewriting  software at proxy port  to canonify
       request  and  forward  it  to  squid.   This  breaks  port- and
       IDENT-based rules.  This breaks also  HTTP 1.1.  In HTTP 1.1  a
       proxy is explicitly forbidden to  transform URLs.  If a  client
       has escaped  a URL  in a  certain way  it is  required that  it
       arrives on the same format  to the server, since a  escaped url
       may result in a different object.

    In the case of playboy example you have to add the numerical IP of
    the URL in the ACL.  eg.:

        PornoURLs.acl:
            ...
            www.playboy.com
            206.251.29.12
            205.216.146.201
            ...

    Squid has a  special-case for matching  IP addresses.   If a valid
    reverse lookup  is registered  then this  name is  used, else  the
    psuedo-domain "none".

        # Deny IP based requests where no reverse lookup is available
        acl unknown_ip dstdomain none
        http_access deny unknown_ip
        # Deny forbidden sites
        acl badsites dstdomain playboy.com ....
        http_access deny badsites

    What should  be done  is to  temporarily unescape  the URL for ACL
    processing only. Preleminary patches for Squid 1.1.2 and 1.2beta15
    (preleminary == only basic testing completed, not official) can be
    found at:

        http://hem.passagen.se/hno/squid/