We're pleased to announce the availability of 'Socket Capable Browser Plugins Result In Transparent Proxy Abuse'. This document outlines the abuse case in CERT's VU #435052 advisory published last month.
Abstract
"Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."
Download Paper: http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf
CERT Advisory: http://www.kb.cert.org/vuls/id/435052
Solve for squid in squid.conf (testet here, seems to work):
acl NOCACHELAN dst 192.168.0.0/16 10.0.0.0/8
acl NOCACHELAN2 dstdomain .intra .local
http_access deny NOCACHELAN
http_access deny NOCACHELAN2
Without these lines I get our intranet when doing following:
telnet www.heise.de 80
GET / HTTP/1.0
Host:192.168.250.9
With these lines squid gives me "access denied"
regards,
Joachim Otahal , Germany
Posted by: Joachim Otahal | March 10, 2009 at 06:35 PM
Joachim, have you tried with Host: www.other-site.com ?
the abuse is related to anywhere host, not internal hosts.
Regards.
Posted by: Emilio | March 13, 2009 at 12:44 PM
It does not protect from spoofing from one outside server to another outside server.
My target was quick protecting the internal network.
There are squid options which can fix this to some extend, but then some websites don't work, and more internal information is exposed outside than I want.
Rechecking should be done anyway, squid evolves.
Jou
Posted by: Joachim Otahal | March 18, 2009 at 03:05 PM
Try with current stable version of squid. Worked for me.
Posted by: Proxy Servers | June 22, 2009 at 03:08 PM