Re: TCP_DENIED when port !=80 and <= 1024

From: Dancer <[email protected]>
Date: Thu, 13 May 1999 10:22:35 +1000

"Knut A. Syed" wrote:
>
> Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE> writes:
>
> > Add the portnumber (81) to the port acl wich restricts access to
> > "safe ports" only (Safe_ports in squid.conf.default).
>
> Port 81 was actually just one example. Todays log contains at least
> these ports: 81, 82, 90, 180, 1010, 1024.
>
> In what way would it be unsafe to accept all ports?
>
> ~kas

CONNECT a.mail.server.com:25 HTTP/1.0

HELO x
MAIL FROM: <innocentperson@server.com>
RCPT TO: <ihateyou@somewhere.else.com>
DATA
From: Person, Innocent <innocentperson@server.com>
To: Victim, Hated <ihateyou@somewhere.else.com>
Subject: You suck wet farts out of dead pigeons.

Hatehatehatehatehatehatehate...

(etc)
.
QUIT

This is only one ugly application. Many services are prone to this sort
of thing, and to them, it looks like _your_ machine is doing it. This
can also be used to gain access to services that are restricted to
certain source-ip ranges.

It is _most_ unwise to open up arbitrary services. RFC1340 isn't just a
good idea. It's a _really_ good idea.

Note that the above can be done without 'CONNECT', and with 'GET'
instead using a not dissimilar trick. I won't list it here, because it
takes a small modicum of brain-power to work out. Why make it _too_ easy
for people?

D
Received on Wed May 12 1999 - 18:03:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:16 MST