[jira] [Commented] (TS-2954) cache poisoning due to proxy.config.http.use_client_target_addr = 1

Wed, 30 Jul 2014 05:16:55 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-2954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079228#comment-14079228
 ] 

Nikolai Gorchilov commented on TS-2954:
---------------------------------------

As this is TPROXY setup, there's neither hostname, nor ip address in the 
requested URL.

{noformat}
$ tcpflow -ci en1 net 91.239.13.61 and port 80
tcpflow[79736]: listening on en1
192.168.001.113.52084-091.239.013.061.00080: GET 
/vi_webp/6eKYsYUlGB8/mqdefault.webp HTTP/1.1
User-Agent: Wget/1.13 (darwin11.4.0)
Accept: */*
Host: i.ytimg.com
Connection: Keep-Alive
{noformat}

As you can see, the destination IP has been used by the wget itself - dst is 
091.239.013.061.00080

> cache poisoning due to proxy.config.http.use_client_target_addr = 1
> -------------------------------------------------------------------
>
>                 Key: TS-2954
>                 URL: https://issues.apache.org/jira/browse/TS-2954
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Cache, DNS, Security, TProxy
>            Reporter: Nikolai Gorchilov
>            Assignee: Susan Hinrichs
>            Priority: Critical
>             Fix For: 5.1.0
>
>         Attachments: ts-2954.patch
>
>
> Current implementation of proxy.config.http.use_client_target_addr opens a 
> very simple attack vector for cache poisoning in transparent forwarding mode.
> An attacker (or malware installed on innocent end-user computer) puts a fake 
> IP for popular website like www.google.com or www.facebook.com in hosts file 
> on PC behind the proxy. Once an infected PC requests the webpage in question, 
> a cacheable fake response poisons the cache.
> In order to prevent such scenarios (as well as [some 
> others|http://www.kb.cert.org/vuls/id/435052]) Squid have implemented a 
> mechanism known as [Host Header Forgery 
> Detection|http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery].
> In short, while requesting an URL from origin server IP as hinted by the 
> client, proxy makes independent DNS query in parallel in order to determine 
> if client supplied IP belongs to requested domain name. In case of 
> discrepancy between DNS and client IP, the transaction shall be flagged as 
> non-cacheable to avoid possible cache poisoning, while still serving the 
> origin response to the client.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to