OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Using Squid to disable (or exploit) Helix Code's lynx trick
From: Peter W (peterwUSA.NET)
Date: Wed Aug 30 2000 - 21:57:40 CDT

At 6:08pm Aug 29, 2000, Helix Code, Inc. wrote:

> The go-gnome pre-installer has been updated on the main Helix Code mirror and
> go-gnome.com. This new version fixes this vulnerability by storing files in
> /var/cache/helix-install, which is writable only by root.

If your users are behind a Squid proxy, I would suggest the following to
protect them from any new problems that might creep up in the script, as
well as network errors, DNS hijacking, etc., etc., since Helix Code seems
to really like this remarkably dangerous hack.

Step 1. Add the following to squid.conf. Be careful with the ACL order!

acl gognome dstdomain go-gnome.com
acl gognome dstdomain spidermonkey.helixcode.com
deny_info ERR_GOGNOME gognome
http_access deny gognome

Step 2. Create a file ERR_GOGNOME in Squid's errors directory
        (An example is attached.)

Step 3. Use something like `squid -k reconfigure` to activate the changes.

Naturally, an attacker could use similar techniques to subvert those
behind the Squid proxy. And transparent redirects could be used to subvert
those behind a NAT / IP Masq / Internet Connection Sharing setup.[0]

-Peter

[0] http://www.squid-cache.org/Doc/FAQ/FAQ-17.html