[squid-users] Is this a security hole or am I missing something (httpd_accel and CONNECT)

From: Jaska Kivel� <[email protected]>
Date: Thu, 12 Jul 2001 12:36:17 +0300

Hi.

I'm running Squid Cache: Version 2.3.STABLE4 in accelerator mode:

--clip--
http_port www.somehost.somewhere:80
httpd_accel_host 1.2.3.4
httpd_accel_port 80
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
--clap--

And have acl's like this:

--clip--
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl accel dst 192.194.194.61/255.255.255.255
acl http_port port 80
acl CONNECT method CONNECT

http_access deny CONNECT
http_access deny manager !localhost
http_access allow http_port
http_access allow accel
http_access deny all
--clap--

However, I am (and malicious users all around are) able to
CONNECT to any address/port:

--clip--
[jack] jk ~ : telnet www.somehost.somewhere 80
Trying 1.2.3.4...
Connected to www.somehost.somewhere.
Escape character is '^]'.
CONNECT mail.somehost.somewhere:25 HTTP/1.0

HTTP/1.0 200 Connection established

220 mail.somehost.somewhere ESMTP
HELO foo.bar
250-mail.somehost.somewhere
250-PIPELINING
250 8BITMIME
MAIL FROM:<any@where>
250 ok
RCPT TO:<some@where>
250 ok
QUIT
221 mail.somehost.somewhere
Connection closed by foreign host.
Exit 1
[jack] jk ~ :
--clap--

This allows hackers to use our local mail servers for spamming
(local IP's are relied for relaying) and e.g. connect to remote
IRC servers (which has happened).

Is there something I'm missing about the ACL configuration, or
is there a hole in accelerator mode?

Please help,

-- 
Jaska Kivel�            | Alma Media Net Ventures Oy | puh (03) 266 6068
jk@almamedia.fi         | Network Services           | fax (03) 266 6061
it systems specialist   | PL 327, 33101 TAMPERE      | gsm  040 576 2988
                        | http://www.almamedia.fi/netventures/
Received on Thu Jul 12 2001 - 03:36:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:06 MST