Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] HTTP Proxy Security Hole!!!

To: [email protected]
Subject: Re: [FW-1] HTTP Proxy Security Hole!!!
From: Volker Tanger <[email protected]>
Date: Tue, 19 Feb 2002 17:04:27 +0100
Organization: DiSCON GmbH
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:0.9.4) Gecko/20011019 Netscape6/6.2

Greetings!

Don wrote:

The thing that really concerns me is, that this general problem has been
known to be an issue with plain HTTP proxies like the Squid since ages
(see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). And
why didn't Checkpoint prevent or at least document this?

Tunneling mode has always been a bad idea.

With CheckPoint you should do the same thing by restricting access to
the security server in your ruleset.

Won't work if you intend to give a public server (e.g. your webserver)
some extra protection, i.a. a rule like "Any  Webserver  http->incoming"

Here - if not using the Tunneling mode - the asterik "*" in "Other"
easily is overlooked, as the sketchy eye only sees the the two tick
boxes for PUT and POST marked, so "Other" won't be enabled, will it?
(Answer: it is as soon as there is something written in there, e.g. the
default asterik).

So the inconsistent admin interface and/or unclean rule setup are
probably to balme for this security hole. Plus the security servers
really should be transparent (i.e. not having the firewall address as
source IP address). The latter will make filtering on the attacked
server possible.

Bye
       Volker

--

-------------------------------------------------------------------
[email protected]                                 discon GmbH
IT-Security Consulting                           Wrangelstrasse 100
http://www.discon.de/                         10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] HTTP Proxy Security Hole!!!
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint NG, NAT & Routing
Next by Date: Re: [FW-1] Redundant firewalls without fancy software?
Previous by thread: Re: [FW-1] HTTP Proxy Security Hole!!!
Next by thread: Re: [FW-1] HTTP Proxy Security Hole!!!
Index(es):
- Date
- Thread