proxying exploit attempts

From: James Young <[email protected]>
Date: Fri, 22 Jan 1999 14:04:31 -0600

Hello all-
Someone informed me of some abuse of a network proxy I administrate.
The cracker attempted to exploit well-known vulnerabilities in cgi scripts.
Advice would be appreciated: here are my options as I see them, other than
the obvious - inform involved parties: the sites he attacked, and his
sysadmin.

   1. Ignore him. We (probably) are not liable for what he did. Besides,
his automated tools would have made another appearance by now if he were
going to repeat this.
   2. Block his access, via his ISPs subnet or whatever. However, he could
just get another ISP. I have not used ACLs before, so my configuration of
them could lead to a false sense of security.
   3. Keep his scripts from working. Write a redirector that allows only
known good characters (a-z, 0-9, +.-;:@&=?$_!*()"'^), and filters out nasty
patterns (.., etc/passwd, (\||IFS)). It would perform "%xx" -> "x"
translation first, except certain characters (space).

#3 is currently my favorite. It blocks a class of attacks from anywhere.
Unfortunately, it could break some valid scripts: I do not know.

To phrase it in the form of a question: How viable does this redirector
seem to everyone?

-james
Received on Fri Jan 22 1999 - 12:47:04 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:07 MST