Security vulnerability in CERN httpd access protection

[chrisf () suede sw oz au (Christopher Fraser)]

Some time ago I came across a security vulnerability in the access protection
code in CERN httpd. I reported it to CERN last February but I haven't received
any reply and the bug is still in the current sources. The bug is interesting
because because it highlights a general risk which may be present in other
Internet software.

CERN accepts access protection as either IP address patterns (such as
192.14.203.*) or as DNS hostname patterns (*.softway.com.au). Because
the two share a similar syntax it uses the same code to the
comparisons. However, it's entirely possible to construct DNS names
that look like IP addresses and match the access protection rules.
(I did a quick survey and the only other net software I could find which
has the same problem is INN).

The bottom line is that if you run a the CERN httpd server as a proxy on a
gateway machine and you use IP address patterns to restrict access to the
proxy, external attackers can use the proxied services to access internal
machines. This vulnetability exists even if your site filters out IP source
address spoofed packets and has a paranoid resolver library.

I can supply a rough patch to interested parties; please contact me if you
would be prepared to test it. Otherwise, a patch will be available from
http://softway.com.au/misc/cern.html in the next few days. In the meanwhile, if
you are currently using CERN as a proxy on a gateway machine, I would highly
recommend using router or host OS IP filtering to restrict access to the proxy
service. Additionally you may want to look at newer proxy software, such as
Squid, which may or may not be more secure (I haven't looked).

Regards,

Christopher.

--
Christopher Fraser   ``First time surrealists are often confused by the
chrisf () sw oz au        similarities between fish and telephones.''