1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
CGI Bypass - New features in bypass v2
Bypass v2 improves security especially with cgi bypass.
The older version is now refered to as version 1.
In normal (non-CGI) bypass mode, e2g creates a hash of the url, bypasskey, client_ip, username and this is
checked by e2g against current values when the bypass link is used. This ensures that the bypass link can
only be used for the save url, by the same user and IP.
However, in version 1, when in cgi mode the bypass hash is generated by the cgi, based on the parameters
passed to it by the client browser, in a redirect from e2g. In this process it is possible for the user
to modify or forge the parameters (url, ip etc) and get assess to a different site than that redirected
from e2g.
In version 2 CGI mode, e2g gernerates a hash in the same way as non-CGI use, and the CGI validates this
by adding the cgikey to the e2ghash and then creates a new hash with the result. When e2g receives this
it duplicates the whole hashing process, first the hash it would have generated and then resulting hash
signed by the cgi. Only if this matches the received hash is the bypass allowed. Also in order for the
cgi to check if details have been altered a separate 'CHECK' hash is generated by e2g -
format md5(url + client_ip + user + cgikey).
Configuration - all in e2guardianfN.conf
For URL Bypass.
Set:-
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/e2guardian.pl'
bypassversion = 2
cgikey = 'your cgi key'
cgibypass = 'on'
bypasskey = '' # allow e2g to generate random key at start-up
bypass = 900 # number of seconds bypass is valid
For Infection URL bypass
If not already set by URL bypass:-
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/e2guardian.pl'
bypassversion = 2
cgikey = 'your cgi key'
Then set:-
cgiinfectionbypass = 'on'
infectionbypasskey = '' # allow e2g to generate random key at start-up
infectionbypass = 900 # number of seconds bypass is valid
V2 CGI processing
Your cgi program will be passed a number of parameters from e2g, giving DENIEDURL, REASON, USER, IP,
FILTERGROUP, CATEGORIES, REASON, CHECK and either GBYPASS (url bypass) or GIBYPASS (infection bypass).
Note that all parameters are sent URLencoded - if these are not decoded by your httpd server you will
need to URLdecode these before processing.
CHECK is a md5 hash of (DENIEDURL + IP + USER + cgikey) and will be the same as a similar hash
generated withing the cgi, if the parameters match those generated by e2g. This can be used by
the cgi to check that a user has not changed or forged any patameters.
If the request is approved by the cgi, then the GBYPASS or GIBYPASS should be modified as follows
and then a redirect sent back to the browser to DENIEDURL + the modified G[I]BYPASS parameter.
Make sure you check for any existing parameters in DENIEDURL so that you add it prefixed with '?'
or '&' as needed.
Take the first 32 bytes of the G[I]BYPASS and make a new md5 hash based on this plus the cgikey.
Replace the first 32 bytes with the new hash.
First draft 2nd Jan 2019 - requires checking - Philip Pearce
|
