PUT requests - using them to chat on IRC servers

From: Oskar Pearson <oskar@dont-contact.us>
Date: Wed, 23 Dec 1998 15:06:05 +0200

Hi

This is pretty much a 'heads up' - this stuff has been mentioned on bugtraq
before, so it's not new.

The PUT problem that people discussed in Bugtraq is being actively used
to gain access to IRC servers in South Africa.

There are two reasons that people could to this:

1) They want to make it look like they have comprimised your cache server
2) Their firewall denies them access to IRC, but allows them web/cache
        access.

This does not appear to work in Squid-1.2 and above, but I have spent a
total of about 30 seconds trying to get it to work: it probably can work...
Squid-1.2+ complains about the lack of a content length

We were originally contacted since someone thought that our cache server
had been compromised, since someone was IRCing from there. This machine
runs the old NOVM version (it's a low load machine, and it's stable).

To test if this works with your cache server:

--------
Connected to yourcache.domain.example.
Escape character is '^]'.
PUT http://ircserver.anotherdomain.example:6667/ HTTP/1.1

nick yournickname
user yourname yourcache.domain.example ircserver.anotherdomain.example :Yourname
join #channelname
privmsg #channelname :hello people
--------

To get around this:

1) upgrade - may or may not help.
2) add the following to squid.conf

---
acl DENY_PUT_ports port 6667 7000
acl PUT method PUT
# add the following line just beneath the line that reads
#  http_access deny Dangerous_ports
http_access deny PUT DENY_PUT_ports
---
Hope that this helps someone.
Oskar
---
"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice
Received on Tue Jul 29 2003 - 13:15:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:01 MST