RE: [SQU] Hiding the name and version of squid in the error messa ge from Bruno Guerreiro on 2001-03-05 (squid-users)

From: Bruno Guerreiro <bruno.guerreiro@dont-contact.us>
Date: Mon, 5 Mar 2001 22:02:29 -0000

Ok.
You want to hide the remove the information that you are squid from any
hacker/user.
What I tried to show you is that even if you remove that information from
the bottom of the error page, it would still be as simple a looking at the
headers of any error page with a simple telnet to the Squid port.

Regards,

Bruno Guerreiro

-----Original Message-----
From: Hamid Hashemi Golpayegani [mailto:hamid@morva.net]
Sent: Segunda-feira, 5 de Março de 2001 20:31
To: Bruno Guerreiro; 'Joe Erlewein'
Cc: squid-users@ircache.net
Subject: RE: [SQU] Hiding the name and version of squid in the error
message

I want to prevent from this message at the bottom of the page that is not
contain in /etc/squid/erros document . like this :

Generated Mon, 05 Mar 2001 20:29:08 GMT by marmar1.morva.net
(Squid/2.4.PRE-STABLE)
^^^^^^^^^^^^^^^^^^
I don't want to any one know my hostname .

--
Regards
    ============================================================
   /  Seyyed Hamid Reza    /        WINDOWS FOR NOW  !!            /
  /  Hashemi Golpayegani  /  Linux for future , FreeBSD for ever  /
 /    Morva System Co.   / ------------------------------------- /
/  Network Administrator/ hamid@morva.net   ,   ICQ# : 42209876 /
===========================================================
-----Original Message-----
From: Bruno Guerreiro [mailto:bruno.guerreiro@ine.pt]
Sent: Monday, March 05, 2001 11:10 PM
To: 'Joe Erlewein'
Cc: squid-users@ircache.net
Subject: RE: [SQU] Hiding the name and version of squid in the error message
Hi,
I don't know if you can disable the %s in the error pages but a simple
telnet to the Squid port will also give the information that you want to
hide.
telnet xxx.xxx.xxx.xxx 80
get
HTTP/1.0 400 Bad Request
Server: Squid/2.3.STABLE4
^^^^^^^^^^^^^^^^^^^^^^^^^
Mime-Version: 1.0
Date: Mon, 05 Mar 2001 19:33:46 GMT
Content-Type: text/html
Content-Length: 824
Expires: Mon, 05 Mar 2001 19:33:46 GMT
X-Squid-Error: ERR_INVALID_REQ 0
  ^^^^^
As far as I can tell Netscape-Proxy and MSProxy also disclose their names
and versions.
Regards,
Bruno Guerreiro
-----Original Message-----
From: Joe Erlewein [mailto:IS_JRERL@mhc.net]
Sent: Segunda-feira, 5 de Março de 2001 18:21
To: hno@hem.passagen.se; kareem@tri.net.sa
Cc: squid-users@ircache.net
Subject: Re: [SQU] Hiding the name and version of squid in the error
message
Hello,
In the professional environment I intend to implement this cache solution,
this is very unacceptable.
Linux has been a long-outlawed OS here, and with this recent opportunity to
use something like it,
My objective it so make it as bulletproof as possible. In order to do this,
I need to be sure that the system CANNOT be identified to outside (or
inside) users/hacks.
Thus, the proposed hiding of the cache name / version appears good, but
anyone can click "view source" and have a field day.
Is there a way to reassign the value reported by %s,  or is there a way
(possibly recompiling?)  to disale the addition of %s if it is undefined?
ie: stop the default signature from being added.
I'd hate to leave an open invitiation to the possibility of compromise, and
am actually considering scrapping squid altogether for something commercial
based on this one fatal flaw.
I'm hoping for a workaround, as personally I'd rather use Linux/Squid, but
professionally I'm simply not willing to take the risk...
Joseph R. Erlewein, N8OUZ
Intern, Networking
Munson Healthcare
>>> Henrik Nordstrom <hno@hem.passagen.se> 2/14/2001 3:55:20 PM >>>
You cannot completely hide it, but you can put it inside a HTML comment
making it less obvious to the user..
Exampel custom signature: (add it to the end of each error page)
<br clear="all">
<hr noshade size=1>
Generated %T
<!-- %h (%s) -->
Unless the error page includes "%s" (Squid name and version) the default
signature will be added.
Note: If you prefer to have the datestamps using your local timezone,
then use %t instead of %T above.
--
Henrik Nordstrom
Squid hacker
Kareem Mahgoub wrote:
>
> Hi all
> I would like to know if there is a way to hide the version and the name of
> squid, on all error messages.
> I have checked in the FAQ and I found how to change all the parameters but
> not the name and the version that appears in the last line of the error
> message.
> Any help would be appreciated.
> Regards,
> Kareem Mahgoub
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Mon Mar 05 2001 - 15:05:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:32 MST