[Zope-Coders] Re: [ZC] 360/ 3 Assign "Zope should issue a 4xx on proxy attacks"

Casey Duncan casey@ZOPE.COM
Tue, 23 Apr 2002 10:26:57 -0600 

I think this proposal should be written up in the fishbowl for wider 
audience discussion before changes to the code are made. Not to say that 
it is a bad idea, it just needs fleshing out IMHO.

-Casey

Collector: Zope Bugs, Features, and Patches ... wrote:
> Issue #360 Update (Assign) "Zope should issue a 4xx on proxy attacks"
>  Status Accepted, Zope/bug medium
> To followup, visit:
>   http://collector.zope.org/Zope/360
> 
> ==============================================================
> = Assign - Entry #3 by htrd on Apr 23, 2002 3:49 am
> 
>  Status: Pending => Accepted
> 
>  Supporters added: htrd
> 
> Reading further in RFC2616, there is a requirement in section 5.2 that origin servers MUST returns a 400 (Bad Request) error if the host name taken from either Host header or host part of a proxy-style request is not a valid hostname on that server.
> 
> Zope certainly violates this at the moment. Fixing it would satisfy both the original reporter of this bug, and the zope-talks-like-a-proxy crowd.
> 
> I propose:
> 
> 1. An extra command line option to specify a valid host name. This may be repeated more than once.
> 2. If that option is specified zero time, it behaves as today
> 3. If that option is specified once or more, Zope will check the host name (from host header or uri) and raise a 400 error if it is not one of those listed.
> 
> The only disadvantage: it is yet another command line option.
> 
> ________________________________________
> = Comment - Entry #2 by htrd on Apr 23, 2002 3:27 am
> 
> This behaviour is correct according to my reading of RFC 2616 (HTTP 1.1). Section 5.1.2 says a Request-URI may be an absoluteURI (the proxy form), an abs_path (the origin server form), or several other forms. There is a requirement that the absoluteURI form is used when the request is being made to a proxy, but I see no requirement that the absolueURI form may not be used when the request is being made to an origin server.
> 
> Note that there are a number of practical uses to sending proxy-style requests to Zope, so banning proxy-style requests altogether is not an option. A command-line switch might be appropriate if this is a widespread problem,
> 
> Perhaps the best solution is to hide Zope/ZServer behind a front-end proxy such as Apache or Squid. This will also protect Zope from numerous other http-level attacks.
> 
> A less invasive short-term workaround would be to explicity check REQUEST variables in your standard_html_header, and manually raise a 404 if the host appears to be wrong.
> 
> 
> ________________________________________
> = Request - Entry #1 by datagrok on Apr 22, 2002 9:45 pm
> 
> Issuing a GET http://www.yahoo.com/ HTTP/1.1 to my zope server returns a 200 OK status along with my site's root page.
> 
> This makes proxy-attacking scripts think that I'm an open proxy, and they continue to issue queries to my server, attempting to exploit other sites. These queries fail because the paths do not exist on my server, but it is nonetheless anoyying:
> 
>         24.43.108.245 - Anonymous [18/Apr/2002:14:08:26 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___tech___&passwd=butthead&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:14:32:12 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___tech___&passwd=dalee&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:15:03:57 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___tech___&passwd=flipper&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:15:06:12 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___alien___&passwd=ugly&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:15:13:57 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___alien___&passwd=waterboy&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:15:18:56 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___tech___&passwd=guest&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:16:09:48 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___alien___&passwd=?????????&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:16:20:39 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___asshole___&passwd=mundanes&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:16:57:47 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___asshole___&passwd=puffing&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:17:12:47 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___asshole___&passwd=sabrina&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:17:28:48 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___alien___&passwd=cristyn&n=1 HTTP/1.0" 404 2042 "" ""
>         24.43.108.245 - Anonymous [18/Apr/2002:17:59:51 -0400] "GET http://edit.yahoo.com/config/ncclogin?.src=ym&login=___alien___&passwd=fishermen&n=1 HTTP/1.0" 404 2042 "" ""
> 
> Issuing a proxy request to a server that does not do proxying should result in a 4xx error.
> ==============================================================
> 
> 
>