On 13.07.2012 05:30, Tsantilas Christos wrote:
>
>> src/forward.cc:
>> * It seems that selectPeerForIntercepted() is permitting pinned
>> destinations to pass-thru when Host header is non-validated.
>> Malicious intercepted clients now only need to send www-auth
>> credentials for a connection-auth scheme (triggering pinning) to be
>> able
>> to make poisoning attacks on any followup pipelined request.
>> eg:
>> GET / HTTP/1.1
>> Host: cahoots.server
>> WWW-authenticate: NTLM fake
>> \r\n
>> GET /poisoned-URI/ HTTP/1.1
>> Host: victim.site
>
> Inside selectPeerForIntercept there is the call:
> client->validatePinnedConnection
> Which checks if the host header is the correct one and if it is not
> unpins the connection.
>
I've been considering this more and it appears that your point stands
up well. This is something we need in 3.2.
Would you mind applying the particular selectPeerForIntercepted()
creation change separately as a new partial for the fix on bug 3579?
Amos
Received on Mon Jul 16 2012 - 02:42:11 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 16 2012 - 12:00:03 MDT