[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] HTTP Proxy Security Hole!!!
Question? What hotfix, currently I see two hot fix's for SP5(one fro ldap and one for RDP? I've tested this on CP4.1 SP4 and SP5(no hot fix's) and I can not re-produce this enture bug/feature. If my rule read: Src: any Dst: 1.1.1.1 Service: http security server, tunnle enalbe, with a *:* in the host path, I can only connect to the 1.1.1.1 host on any port....I can not connect to any host on any port. It seems I can only connect to the hosts that are in the dst field. If I update the dst to be 1.1.1.1 and 2.2.2.2, I can connec to both 1.1.1.1 and 2.2.2.2 on any port. If I change the dst to any, I can connect to any host on any port. I would like to re-produce this, so if you can reply to this list, and directly to me, with the exact hotfix, that would be great! -Greg Fraize [email protected] At 03:37 PM 2/19/2002 +0100, Volker Tanger wrote: >Greetings! > >Snyder, Ryan wrote: > >> Try this on your firewall if you are running HTTP Proxy! Checkpoint has yet >> to release a fix. > >[...] > >> I also found out that one can telnet to machines on a network that are >> protected by the Firewall. > > >I just tested and confirmed for FW1 V4.1 SP5 (plus hotfixes). > > >Even worse: you can connect to any TCP port on any machine the firewall >can connect to. Telnet, SMTP, POP, etc. > >Restrictions found: > - connects are only possible if the firewall module > is allowed access (i.e. via policy/properties, > specific rules or "Any (dst) (svc)..." rules > - you have to allow "CONNECT" - is enabled if you allowed > "Tunneling" (General tab) connection method or did not > delete the "*" in "Other" Methods (Match tab) > >Fast workarounds: > - Change your ressource settings to filter out CONNECT > commands, i.e. > * disable HTTP tunneling > * check that "Other" method is specified NOT to > match CONNECT (i.e. remove the default wildcard) > - disallow access from the firewall module (->Properties) > - replace in all your rules containing the service > HTTP+Resource this part with plain HTTP. Yes, you loose > > some content security but at least you don't compromise > > your other servers > > >The thing that really concerns me is, that this general problem has been >known to be an issue with plain HTTP proxies like the Squid since ages >(see e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). And >why didn't Checkpoint prevent or at least document this? > >Puzzled > > Volker > >-- > >------------------------------------------------------------------- >[email protected] discon GmbH >IT-Security Consulting Wrangelstrasse 100 >http://www.discon.de/ 10997 Berlin, Germany >------------------------------------------------------------------- >PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|