Re: Squid DNS Resolving Issue from Robert Collins on 2003-08-28 (squid-dev)

From: Robert Collins <robertc@dont-contact.us>
Date: Thu, 28 Aug 2003 20:50:03 +1000

On Thu, 2003-08-28 at 20:29, atit jariwala wrote:

> Does this approach adds any Security Hole or Problem in Squid.

Yes, it allows cache poisoning.

Any client could, for instance, put up a server somewhere with porn
advertising, and then request:

GET / HTTP/1.1
Host: www.microsoft.com

and send the request to their server.
It would then reply with their advertising page.
Any one subsequently requesting www.microsoft.com will get this
'poisoned' page instead.

Cheers
Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Aug 28 2003 - 04:50:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:30 MST