It was detected that several firewall, caching and antivirus proxy software doesn't
enough restrict the HTTP/CONNECT feature. Looks like on some software this
can't be restricted by design.
It's possible to connect to arbitrary ports using this HTTP/CONNECT
feature, sometimes also below port 1024.
An example looks like this:
$ telnet your.local.proxy 3128
Connected to your.local.proxy.
Escape character is '^]'.
CONNECT wwwspecial.domain.example:44444 / HTTP/1.0
HTTP/1.0 200 Connection established
closed by foreign host.
If you see the eicar.com test file in clear text, a second issue exists, if
you use a antivirus proxy software: It doesn't scan any traffic using
HTTP/CONNECT, even it's not encrypted.
If you can also connect to ports lower than 1024, a third issue is coming up.
Try it by using:
CONNECT mail.domain.example:25 / HTTP/1.0
If working, possible any ports from 1 to 65535 can be connected from inside
to outside and breaks perhaps your security policy.
Finally a connection request to port 80 using:
CONNECT www.domain.example:80 / HTTP/1.0
This should be normally not working, too.
1) Disable method CONNECT completely, if possible by software and security
policy (this will disable HTTPS traffic also)
2) Restrict ports which can be used for method CONNECT to e.g. 443 (https)
only (Squid-Cache-Software does this by default setting since some years
to ports 443 and 563 [NNTP over ssl] only)
3) Restrict outgoing traffic from the proxy to allowed ports only using local
or near-by firewalling (e.g. port 80 and 443 only).
4) If antivirus is bypassed, contact vendor for solution