Bugtraq mailing list archives
Re: Raptor 6.5 http vulnerability (fwd)
From: Alexander Bochmann <ab () GXIS DE>
Date: Tue, 27 Mar 2001 16:21:40 +0200
Hi, ...on Tue, Mar 27, 2001 at 10:16:55PM +1000, Peter Robinson wrote:
Most http Proxy solutions (including squid and fw1) do this unless you specify otherwise. If you don't know what your doing... you don't know what your doing!!. Don't blame the software.....
Ok, I'm going to blame the documentation then ;) It doesn't waste a word about the possibility to access the http proxy as proxy from the outside interface; and although one could think that poeple would consider this possibility, I have yet to see one Raptor installation that has been guarded against it. Although it can be used as proxy, people (including me, although I was aware that the http module can be used as proxy from the inside interfaces) who just use the http module for transparent connections seem to forget about the proxying abilities.
This is NOT a bug, just a feature .. Often you want people to use their proxy to access web sites on other ports.
I know that it's a feature...
Proxies should be set up correctly to permit incoming HTTP access by ip address and limited to what remote ports are allowed. The defaults are never adequate.
...but sometimes it seems, some reminders are needed.
It hardly requires "brute force" The "setenv" LYNX/Unix default proxy are the same as the proxy settings in a browser like Netscape or I.E.
I know that it's the same, but it's easier to copy and paste text output to messages... You want screenshots instead? Also, what I was talking about as brute force was not using the http module as proxy in itself, but the brute force would be to try all IP addresses you would expect on the inside interface to see, which one are responding to requests proxied through the http module. Alex.
Current thread:
- Re: Raptor 6.5 http vulnerability (fwd) Peter Robinson (Mar 27)
- Re: Raptor 6.5 http vulnerability (fwd) Alexander Bochmann (Mar 27)
- Re: Raptor 6.5 http vulnerability (fwd) Lincoln Yeoh (Mar 27)