|

Computer Security

»

»

Firewall Discussions

»

Firewall Wizards

OT, sorta: Breaking pipes?

View: New views

3 Messages — Rating Filter: Alert me

	OT, sorta: Breaking pipes? by Kurt Buff :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message All, At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm not as fully trained on it as I'd like to be. However, I'm seeing more complaints from end-users who are encountering web sites that issue URLs with the pipe/vertical bar - "\|" - character embedded in them. The Sidewinder proxy denies it, as is proper. The latest occurrence is a really stupid State government web site that actually puts the pipe character at the end of the URL! For those sites that we have a business case for end-user access, I make an exception. IT manager now considers this an annoyance, and wants justification for the not allowing URLs with the character through the proxy. I tell him it violates the RFCs that I'm aware of (1738 and 2396 - 3986 doesn't really deal with it, AFAICT) and he wants me to quantify/qualify the risk, and wants me to consider allowing that character universally. I told him (as I believe to be correct) that you can't do that without turning off the proxy entirely, which would be foolish in the extreme. Aside from what we (the manager and I) already know (that the pipe is used in scripting/shells/etc. to redirect output from one program to another) are there any other risks of which I'm not aware, or any specific attacks that I can point to that have or do use this character? I would think that our current understanding on this would be sufficient justification for keeping things the way they are, but apparently not. This is really silly, and frustrating for me, though I suppose many of you have fought the same (kinds of) battle, but any insight would help. Thanks, Kurt _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: OT, sorta: Breaking pipes? by Chris Myers-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Do you use Perl at all with CGI scripts? If so, this is just an example of what might be done with anything written with custom scripts. In this case, it is a specific vendor, but it could happen to anyone who does not code diligently. http://www.kb.cert.org/vuls/id/496064 Thank You, Chris Myers clmmacunix@... John 1:17 For the Law was given through Moses; grace and truth were realized through Jesus Christ. Go Vols!!!! On Oct 27, 2009, at 1:48 PM, Kurt Buff wrote: > All, > > At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm > not as fully trained on it as I'd like to be. > > However, I'm seeing more complaints from end-users who are > encountering web sites that issue URLs with the pipe/vertical bar - > "\|" - character embedded in them. The Sidewinder proxy denies it, as > is proper. The latest occurrence is a really stupid State government > web site that actually puts the pipe character at the end of the URL! > > For those sites that we have a business case for end-user access, I > make an exception. > > IT manager now considers this an annoyance, and wants justification > for the not allowing URLs with the character through the proxy. I tell > him it violates the RFCs that I'm aware of (1738 and 2396 - 3986 > doesn't really deal with it, AFAICT) and he wants me to > quantify/qualify the risk, and wants me to consider allowing that > character universally. I told him (as I believe to be correct) that > you can't do that without turning off the proxy entirely, which would > be foolish in the extreme. > > Aside from what we (the manager and I) already know (that the pipe is > used in scripting/shells/etc. to redirect output from one program to > another) are there any other risks of which I'm not aware, or any > specific attacks that I can point to that have or do use this > character? I would think that our current understanding on this would > be sufficient justification for keeping things the way they are, but > apparently not. > > This is really silly, and frustrating for me, though I suppose many of > you have fought the same (kinds of) battle, but any insight would > help. > > Thanks, > > Kurt > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards pastedGraphic.tiff (24K) Download Attachment
	Re: OT, sorta: Breaking pipes? by Kurt Buff :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Nov 7, 2009 at 07:34, Chris Myers <clmmacunix@...> wrote: > Do you use Perl at all with CGI scripts? If so, this is just an example of > what might be done with anything written with custom scripts. In this case, > it is a specific vendor, but it could happen to anyone who does not code > diligently. > > http://www.kb.cert.org/vuls/id/496064 We don't use perl/cgi here, but the example is instructive. This issue at hand is for web browsing by clients - the newish manager believes that it's just too annoying to add exceptions for the misbehaving web sites. Of course, it's not just the pipe character. It's also the other unsafe/unwise characters, and the URLs that are longer than 1024 characters, etc. At some point we may be hosting a web site locally, but that hasn't happened. This is really an education issue, so anything that I can add to the ammunition pile is helpful. Kurt _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards