Bugtraq mailing list archives
Security vulnerability in CERN httpd access protection
From: chrisf () suede sw oz au (Christopher Fraser)
Date: Sun, 22 Dec 1996 16:08:00 -0500
Some time ago I came across a security vulnerability in the access protection code in CERN httpd. I reported it to CERN last February but I haven't received any reply and the bug is still in the current sources. The bug is interesting because because it highlights a general risk which may be present in other Internet software. CERN accepts access protection as either IP address patterns (such as 192.14.203.*) or as DNS hostname patterns (*.softway.com.au). Because the two share a similar syntax it uses the same code to the comparisons. However, it's entirely possible to construct DNS names that look like IP addresses and match the access protection rules. (I did a quick survey and the only other net software I could find which has the same problem is INN). The bottom line is that if you run a the CERN httpd server as a proxy on a gateway machine and you use IP address patterns to restrict access to the proxy, external attackers can use the proxied services to access internal machines. This vulnetability exists even if your site filters out IP source address spoofed packets and has a paranoid resolver library. I can supply a rough patch to interested parties; please contact me if you would be prepared to test it. Otherwise, a patch will be available from http://softway.com.au/misc/cern.html in the next few days. In the meanwhile, if you are currently using CERN as a proxy on a gateway machine, I would highly recommend using router or host OS IP filtering to restrict access to the proxy service. Additionally you may want to look at newer proxy software, such as Squid, which may or may not be more secure (I haven't looked). Regards, Christopher. -- Christopher Fraser ``First time surrealists are often confused by the chrisf () sw oz au similarities between fish and telephones.''
Current thread:
- Security vulnerability in CERN httpd access protection Christopher Fraser (Dec 22)
- Re: Security vulnerability in CERN httpd access protection Hallam-Baker (Dec 22)