Eric Demolli wrote:

It was the proxy blocker. But how does it work ? I use Squid cache but there should be no way to connect on my proxy port from the Net. I've added some acl to allow only my internal network IP should I do something else ? How can I be unblocked ?

That's all you have to do, secure the proxy and get a sysop to unblock you. Your computer will be rescanned eventually, and if you've configured your proxy correctly, you won't be reblocked.

-- Tim Starling

Thanks Jimmy. You know I'm blocked again. As of today I considered my proxy as secure. I just like to know what kind of security hole was discovered. If a proxy blocker as been implemented I think it would be fair to say exactly why an address is blocked. Eric Demolli

----- Original Message ----- From: "Jimmy Wales" jwales@bomis.com To: "English Wikipedia" wikien-l@Wikipedia.org Sent: Wednesday, March 31, 2004 7:16 PM Subject: Re: [WikiEN-l] Re: Why am I blocked ?

Tim Starling wrote:

...

Eric Demolli wrote:

...

It was the proxy blocker. But how does it work ? I use Squid cache but there should be no way to connect on my proxy port from the Net. I've added some acl to allow only my internal network IP should I do something else ? How can I be unblocked ?

That's all you have to do, secure the proxy and get a sysop to unblock you. Your computer will be rescanned eventually, and if you've configured your proxy correctly, you won't be reblocked.

How hard would it be for us to have the ability to punch specific holes in our proxy blocker? It seems a shame for Eric to have to reconfigure something because of us. If someone were abusing his proxy, that might be a different matter.

I know that if my home network were to get blocked for this, I'd find it a royal pain in the ass to have to reconfigure.

--Jimbo _______________________________________________ WikiEN-l mailing list WikiEN-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikien-l

Eric Demolli wrote:

Thanks Jimmy. You know I'm blocked again. As of today I considered my proxy as secure. I just like to know what kind of security hole was discovered. If a proxy blocker as been implemented I think it would be fair to say exactly why an address is blocked. Eric Demolli

Your computer has two ports open which are on the proxy checker's port list: 80 and 3128. Both seem to be correctly configured. I manually triggered the proxy blocker to attempt to block those two ports, and nothing happened. You have Apache running on 80, and it didn't understand the proxy request. You have squid on port 3128, and it gives an access denied error.

Nonetheless, the server logs show your computer asking for itself to be blocked, at April 1, 16:15.

62.212.103.37 - - [01/Apr/2004:16:15:35 +0000] "GET http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=62.212.103... HTTP/1.0" 200 4143 "-" "-"

The proxy blocker works by attempting to send a proxied request for Special:Blockme via the target computer. Special:Blockme will block the address if the originating IP matches the IP in the query string.

The logs also show a matching request for the edit page, which triggered the scan:

62.212.103.37 - - [01/Apr/2004:16:15:33 +0000] "GET http://en.wikipedia.org/w/wiki.phtml?title=Image_talk:Hindenburg.jpg&act... HTTP/1.1" 200 3550 "http://en.wikipedia.org/wiki/Image:Hindenburg.jpg" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"

Was that you clicking on that edit link? Is MSIE 6.0 your browser?

It's possible for a malicious person to trick your browser into requesting the Special:Blockme address, e.g. with an image with its source set to Special:Blockme, a misleading link or a java applet. The fact that there is also a request for an edit page makes this seem pretty unlikely, although not impossible.

Possible explanations range from the mundane to the extraordinary. You could have reconfigured your proxy after 16:15 and forgotten to tell us. There may have been an elaborate script embedded in Wikipedia or another web page you were surfing at the time. Your computer might have been hacked.

If this happens again, can you please contact me privately, immediately after the event? By IRC, user talk page, or email (t.starling at ph.unimelb.edu.au).

Tomos at Wikipedia wrote:

Hello.

It seems that one of our trusted users was blocked by proxy blocker even though his is IPs are not open proxies. IPs I was informed of by the user were as follows:

220.146.24.126 220.146.22.87 220.146.22.10

I will unblock these addresses, but is it really effective if I do that? I am afraid that the blocker will re-block those addresses as soon as he start editing. Can I do anything? Or is there anything the user should do? I would appreciate any suggestion.

This user appears to be on a dynamic IP address, so it's a bit hard for me to scan it and check for security. Can you have this person contact me when s/he is online? Perhaps by IRC? I found one relevant log entry:

220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET http://meta.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=220.146.... HTTP/1.0" 200 4017 "-" "-"

And a matching edit request:

220.146.22.87 - - [01/Apr/2004:00:56:55 +0000] "GET http://meta.wikipedia.org/w/wiki.phtml?title=MediaWiki_feature_request_and_b... HTTP/1.1" 200 89899 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"

This user may have an open proxy on his/her computer without knowing it.

The thing about the proxy blocker is that it's not particularly prone to false positives. If you get blocked, it means either you have an open proxy, or something fishy is going on. If people are being blocked by a malicious user, we will need to enhance the security in Special:Blockme, adding some sort of authentication to ensure the requests are genuine.

-- Tim Starling

Tim Starling wrote:

It's possible for a malicious person to trick your browser into requesting the Special:Blockme address, e.g. with an image with its source set to Special:Blockme

Hmmm, that doesn't sound sensible, it's just too easy for someone to screw around with.

Is this right? All I need to do is have a cgi script on a web page that dynamically generates a link like this:

<img src=http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=xxx.xxx.xx...

where I substitute xxx.xxx.xxx.xxx with the victim's ip number?

So, on my User:EvilUser homepage I just write: "Sysops and wikipedians! Before you ban me or get upset with my actions, please read my explanation of my behavior at http://www.eviluser.com/wikipedia.cgi ! Thanks!"

Heh. But, not good.

This seems easy enough to fix. The link above should do nothing. If we're testing a proxy, we should try to get the client to request ...?title=Special:Blockme&validation=xxxxxxxxxxxxxxxx

where 'xxxxxxxxxxxxxx' is something that we can generate easily but that's difficult for User:EvilUser to duplicate.

--Jimbo

I have to say that I'm not a Unix guru at all.

Well, I've inspected my computer and found a typo in the IPtables that left the port 3128 open. I think it should be OK now but I'm not certain. If someone can verify and unblock me I'll be happy.

I would suggest to improve the proxy blocker : - By reporting what kind of security hole was discovered, - By adding a button to allow the blocked user to for a recheck of his computer and unblock himself when the hole is fixed.

Eric Demolli

----- Original Message ----- From: "Timwi" timwi@gmx.net To: wikien-l@Wikipedia.org Sent: Friday, April 02, 2004 11:41 AM Subject: [WikiEN-l] Re: Why am I blocked ?

Jimmy Wales wrote:

...

This seems easy enough to fix. The link above should do nothing. If we're testing a proxy, we should try to get the client to request ...?title=Special:Blockme&validation=xxxxxxxxxxxxxxxx where 'xxxxxxxxxxxxxx' is something that we can generate easily but that's difficult for User:EvilUser to duplicate.

Additionally, it should probably be a POST request, so it can't be embedded in an IMG tag anyway.

---

WikiEN-l mailing list WikiEN-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikien-l

This has nothing to do with the proxy this has to do with the smtp port. OK I will block smtp.

Eric Demolli.

----- Original Message ----- From: "Sean Barrett" sean@epoptic.org To: demolli@unice.fr Cc: wikien-l@Wikipedia.org Sent: Friday, April 02, 2004 4:19 PM Subject: Re: *****SPAM***** Re: [WikiEN-l] Re: Why am I blocked ?

...

I have to say that I'm not a Unix guru at all.

Well, I've inspected my computer and found a typo in the IPtables that

left

...

the port 3128 open. I think it should be OK now but I'm not certain. If someone can verify

and

...

unblock me I'll be happy.

I would suggest to improve the proxy blocker :

• By reporting what kind of security hole was discovered,
• By adding a button to allow the blocked user to for a recheck of his

computer and unblock himself when the hole is fixed.

Eric Demolli

I don't know if this will help or not, but opm.blitzed.org also thinks you have an open proxy. My SpamAssassin flagged your last message thusly:

pts rule name description

---

----

4.3 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org [62.212.103.37 listed in opm.blitzed.org] 4.3 RCVD_IN_OPM_HTTP_POST RBL: OPM: sender is open HTTP POST proxy [62.212.103.37 listed in opm.blitzed.org]

-- Sean Barrett | Gee, Mr. Wizard! Aren't nuclear reactors dangerous? sean@epoptic.com | _______________________________________________ WikiEN-l mailing list WikiEN-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikien-l

On Apr 2, 2004, at 5:58 AM, Eric Demolli wrote:

I have to say that I'm not a Unix guru at all.

And I bet more non-gurus will run into this problem.

I would suggest to improve the proxy blocker :

• By reporting what kind of security hole was discovered,

I'd suggest accompanying the report with some instruction on patching the hole. I myself am not a guru in this area, so I don't know how much detail automatically selected instructions could have in this case.

Peter

-- ---<>--- -- A house without walls cannot fall. Help build the world's largest encyclopedia at Wikipedia.org -- ---<>--- --