[ https://issues.apache.org/jira/browse/TS-2954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Susan Hinrichs updated TS-2954: ------------------------------- Attachment: ts-2954.patch [~ngorchilov] could you take a look at the patch and give it a test? > cache poisoning due to proxy.config.http.use_client_target_addr = 1 > ------------------------------------------------------------------- > > Key: TS-2954 > URL: https://issues.apache.org/jira/browse/TS-2954 > Project: Traffic Server > Issue Type: Bug > Components: Cache, DNS, Security, TProxy > Reporter: Nikolai Gorchilov > Assignee: Susan Hinrichs > Priority: Critical > Fix For: 5.1.0 > > Attachments: ts-2954.patch > > > Current implementation of proxy.config.http.use_client_target_addr opens a > very simple attack vector for cache poisoning in transparent forwarding mode. > An attacker (or malware installed on innocent end-user computer) puts a fake > IP for popular website like www.google.com or www.facebook.com in hosts file > on PC behind the proxy. Once an infected PC requests the webpage in question, > a cacheable fake response poisons the cache. > In order to prevent such scenarios (as well as [some > others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a > mechanism known as [Host Header Forgery > Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery]. > In short, while requesting an URL from origin server IP as hinted by the > client, proxy makes independent DNS query in parallel in order to determine > if client supplied IP belongs to requested domain name. In case of > discrepancy between DNS and client IP, the transaction shall be flagged as > non-cacheable to avoid possible cache poisoning, while still serving the > origin response to the client. -- This message was sent by Atlassian JIRA (v6.2#6252)