[
https://issues.apache.org/jira/browse/TS-2954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikolai Gorchilov updated TS-2954:
----------------------------------
Description:
Current implementation of proxy.config.http.use_client_target_addr opens a very
simple attack vector for cache poisoning in transparent forwarding mode.
An attacker (or malware installed on innocent end-user computer) puts a fake IP
for popular website like www.google.com or www.facebook.com in hosts file on PC
behind the proxy. Once an infected PC requests the webpage in question, a
cacheable fake response poisons the cache.
In order to prevent such scenarios (as well as [some
others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a
mechanism known as [Host Header Forgery
Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
In short, while requesting an URL from origin server IP as hinted by the
client, proxy makes independent DNS query in parallel in order to determine if
client supplied IP belongs to requested domain name. In case of discrepancy
between DNS and client IP, the transaction shall be flagged as non-cacheable to
avoid possible cache poisoning, while still serving the origin response to the
client.
was:
Current implementation of proxy.config.http.use_client_target_addr opens a very
simple attack vector for cache poisoning in transparent forwarding mode.
An attacker (or malware installed on innocent end-user computer) puts a fake IP
for popular website like www.google.com or www.facebook.com in hosts file on PC
behind the proxy. Once an infected PC requests the webpage in question, a
cacheable fake response poisons the cache.
In order to prevent such scenarios (as well as [some
others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a
mechanism known as [Host Header Forgery
Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
In short, while requesting an URL from origin server IP as hinted by the
client, proxy makes independent DNS query in parallel in order to determine if
client supplied IP belongs to requested domain name. In case of discrepancy
between DNS and client IP, the transaction shall be flagged as non-cacheable to
avoid possible cache poisoning, while still serving the original response to
the client.
> cache poisoning due to proxy.config.http.use_client_target_addr = 1
> -------------------------------------------------------------------
>
> Key: TS-2954
> URL: https://issues.apache.org/jira/browse/TS-2954
> Project: Traffic Server
> Issue Type: Bug
> Components: Cache, DNS, Security, TProxy
> Reporter: Nikolai Gorchilov
> Priority: Critical
>
> Current implementation of proxy.config.http.use_client_target_addr opens a
> very simple attack vector for cache poisoning in transparent forwarding mode.
> An attacker (or malware installed on innocent end-user computer) puts a fake
> IP for popular website like www.google.com or www.facebook.com in hosts file
> on PC behind the proxy. Once an infected PC requests the webpage in question,
> a cacheable fake response poisons the cache.
> In order to prevent such scenarios (as well as [some
> others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a
> mechanism known as [Host Header Forgery
> Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
> In short, while requesting an URL from origin server IP as hinted by the
> client, proxy makes independent DNS query in parallel in order to determine
> if client supplied IP belongs to requested domain name. In case of
> discrepancy between DNS and client IP, the transaction shall be flagged as
> non-cacheable to avoid possible cache poisoning, while still serving the
> origin response to the client.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
