[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] HTTP Proxy Security Hole!!!
Greetings! Don wrote: The thing that really concerns me is, that this general problem has been known to be an issue with plain HTTP proxies like the Squid since ages (see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). And why didn't Checkpoint prevent or at least document this? Won't work if you intend to give a public server (e.g. your webserver) some extra protection, i.a. a rule like "Any Webserver http->incoming" Here - if not using the Tunneling mode - the asterik "*" in "Other" easily is overlooked, as the sketchy eye only sees the the two tick boxes for PUT and POST marked, so "Other" won't be enabled, will it? (Answer: it is as soon as there is something written in there, e.g. the default asterik). So the inconsistent admin interface and/or unclean rule setup are probably to balme for this security hole. Plus the security servers really should be transparent (i.e. not having the firewall address as source IP address). The latter will make filtering on the attacked server possible. Bye Volker -- ------------------------------------------------------------------- [email protected] discon GmbH IT-Security Consulting Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany ------------------------------------------------------------------- PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|