Bugtraq mailing list archives

By Date

By Thread

Re: Raptor 6.5 http vulnerability (fwd)

Hi,

...on Tue, Mar 27, 2001 at 10:16:55PM +1000, Peter Robinson wrote:

Most http Proxy solutions (including squid and fw1) do this unless you
specify otherwise.
If you don't know what your doing... you don't know what your doing!!.
Don't blame the software.....

Ok, I'm going to blame the documentation then ;)

It doesn't waste a word about the possibility to access the
http proxy as proxy from the outside interface; and although
one could think that poeple would consider this possibility,
I have yet to see one Raptor installation that has been guarded
against it.

Although it can be used as proxy, people (including me, although
I was aware that the http module can be used as proxy from the
inside interfaces) who just use the http module for transparent
connections seem to forget about the proxying abilities.

This is NOT a bug, just a feature  .. Often you want people to use their
proxy to access web sites on other ports.

I know that it's a feature...

Proxies should be set up correctly to permit incoming HTTP access by ip
address and limited to what remote ports are allowed. The defaults are never
adequate.

...but sometimes it seems, some reminders are needed.

It hardly requires "brute force" The "setenv" LYNX/Unix default proxy are
the same as the proxy settings in a browser like Netscape or I.E.

I know that it's the same, but it's easier to copy and paste text
output to messages... You want screenshots instead?

Also, what I was talking about as brute force was not using the
http module as proxy in itself, but the brute force would be to
try all IP addresses you would expect on the inside interface
to see, which one are responding to requests proxied through
the http module.

Alex.

By Date

By Thread

Current thread:

• Re: Raptor 6.5 http vulnerability (fwd) Peter Robinson (Mar 27)
  • Re: Raptor 6.5 http vulnerability (fwd) Alexander Bochmann (Mar 27)
  • Re: Raptor 6.5 http vulnerability (fwd) Lincoln Yeoh (Mar 27)