Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2954

cache poisoning due to proxy.config.http.use_client_target_addr = 1

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.1.0
    • Component/s: Cache, DNS, Security, TProxy
    • Labels:
      None

      Description

      Current implementation of proxy.config.http.use_client_target_addr opens a very simple attack vector for cache poisoning in transparent forwarding mode.

      An attacker (or malware installed on innocent end-user computer) puts a fake IP for popular website like www.google.com or www.facebook.com in hosts file on PC behind the proxy. Once an infected PC requests the webpage in question, a cacheable fake response poisons the cache.

      In order to prevent such scenarios (as well as some others) Squid have implemented a mechanism known as Host Header Forgery Detection.

      In short, while requesting an URL from origin server IP as hinted by the client, proxy makes independent DNS query in parallel in order to determine if client supplied IP belongs to requested domain name. In case of discrepancy between DNS and client IP, the transaction shall be flagged as non-cacheable to avoid possible cache poisoning, while still serving the origin response to the client.

        Attachments

        1. ts-2954-take2.patch
          12 kB
          Susan Hinrichs
        2. ts-2954-final.patch
          13 kB
          Susan Hinrichs
        3. ts-2954.patch
          11 kB
          Susan Hinrichs

          Activity

            People

            • Assignee:
              shinrich Susan Hinrichs
              Reporter:
              ngorchilov Nikolai Gorchilov
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: