Bug #6995
closed
Security Issue - SquidAnalyzer
0%
Description
I found this flaw when I was testing SquidAnalyzer.
I noticed that it is possible to access the URL of the package directly, without going through the authentication.
Ex.: Hot IP - 200.200.200.200
WebConfigurator - https://200.200.200.2009
Squidanalyzer URL - https://200.200.200.200:9443/squidreport
Updated by Bruno Kammers over 7 years ago
If you open the URL directly, access is accomplished without authentication.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Rejected
- Priority changed from Very High to Normal
There is no pfSense package by that name.
Furthermore, any package that runs its own daemon on an alternate port has to manage its own security -- there isn't anything pfSense can do about that. Packages that use their own GUI files outside of the pfSense GUI framework must also handle their own security.
In those cases, don't expose the affected port to untrusted networks.
Updated by Kill Bill over 7 years ago
There is no SquidAnalyzer anywhere in pfSense packages. If you are unable to secure random third-party stuff properly, stop installing it on your firewall.