Re: a litle bypass with IE
Nuno Costa wrote :-
> hello
>
> im not a expert in this area, but i work in a intranet that haves the
> Squid/2.3.STABLE5 filtring all access's to the internet..
>
> so i don't have access to the internet directaly, but i know that this
> proxy allow access to especific web sites.. so, in the past if i us
> this:
>
> http://url@xxxxxxxxxxxxxxxxxx -> the vuln that is already discovered...
> > i have access to the website that i want...
>
> but in this days, this vuln is now fixed so...
>
> in my test's i found this way to pass this proxy, using:
>
> http://@@website_allowed.pt@my_url -> now i have access...
>
> using @@url.pt@ i can bypass the proxy and access the internet, i don't
> know how faur, this could go!!
>
> so i don't know if this is a bug from IE or just a simple bug from
> Squid.. ??? can anyone tell what we have in hands ?
>
> PS: sorry my inglish
>
Out of interest, do you happen to know if your proxy also uses Dansguardian? I
ask because I work for the company behind CensorNet
(www.censornet.com) and we recently had to make a modification to the
Dansguardian code in order that the school kids that form the vast
bulk of our user base couldn't get to prohibited sites by the slight of putting
a trailing dot at the end of the url they wanted to visit.
We've fixed things such that invalid url's are no longer possible. I ask
because, our Access Denied page also claims to be a service provided
by Squid/2.3 STABLE5. Yet the problem was with DG and not Squid.
Regards
Neil
(Company .sig below, although this is a personal email address)
--
Neil Briscoe
Adelix Ltd
e: neil.briscoe@xxxxxxxxxx <mailto:neil.briscoe@xxxxxxxxxx>
t: +44 (0) 1252 338751 / f: +44 (0) 1454 228820
s: PO BOX 2000, Yate, Bristol, BS37 1DS. http://www.adelix.com
Any views expressed in this email communication are those
of the individual sender, except where the sender specifically states
them to be the views of a member of Adelix Ltd. Adelix Ltd. does not
represent, warrant or guarantee that the integrity of this communication
has been maintained nor that the communication is free of errors or
interference.