Re: [squid-users] Problem with cache poisoning

From: Hans-Christian Prytz <[email protected]>
Date: Tue, 20 Jan 2004 11:12:21 +0100

"Elsen Marc" <elsen@imec.be> writes:

[...]

>
> I never had this but I would suggest finding out whether you
> are dealing with cache poisoning or perhaps 'browser poisoning' due
> to cookie fiddling or whatever due to earlier visit of a malicious site.
> This could easily be done by querying the cache directly for the
> affected sites as in :

I have checked this, and for the the sites that are affecte (they are
not the same all the time) the expected html content (ie. the
whatever/indec.html or whatnot) is replaced by a meta refresh to
coolsavings.

>
> % telnet squid_host squid_port
> GET http://www.rediff.com/ HTTP/1.0
> <double return>
>
> Verify this output and see whether this is rediff.com or 'coolsavings'.

This is ecactly what happens when I find a site that is affected.

>
> Verify also, what is seen in access.log when trying this request.
> Preferably I would do this, in such cases in an 'isolated mode' on squid, meaning
> that squid is not dealing with other requests, to have a clear analysis of
> this problem.
>

I'm trying to do this now, but I haven't been able to reproduce the
problem in a controlled environment so far.

-HCP
Received on Tue Jan 20 2004 - 03:12:26 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:07 MST