Bug 37837 – Document DHCP option wpad

Bug 37837 - Document DHCP option wpad


Summary:	Document DHCP option wpad

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Documentation
Version:	UCS@school 4.1 R2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.2 v4
Assigned To:	Daniel Tröder
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-02-18 16:39 CET by Michael Grandjean
Modified:	2017-10-16 21:35 CEST (History)
CC List:	4 users (show)

See Also:	35219 31728
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.154
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2015-02-18 16:39:01 CET

Right now there is only a vague sentence regarding that proxy settings are distributed via DHCP by default:

http://docs.univention.de/ucsschool-handbuch-4.0.html#school:proxy
> Die Proxykonfiguration wird in der Grundeinstellung durch DHCP verteilt, diese Einstellung wird jedoch nicht von allen Browsern unterstützt.

There is no documentation on how this is done (wpad) nor how to turn it off. 

In a current case (Ticket#2014112021000242) this feature lead to strange behaviour when accessing a local windows webserver.

Disabling:
> udm dhcp/service modify --dn cn=<hostname>,cn=dhcp,ou=<schoolname>,<ldap-base> --set option=''
> ucr unset dhcpd/options/wpad/252
> /etc/init.d/univention-dhcp restart

Enabling again:
> udm dhcp/service modify --dn cn=<hostname>,cn=dhcp,ou=<schoolname>,<ldap-base> --append option='wpad "http://<FQDN-of-schoolserver>/proxy.pac";'
> ucr set dhcpd/options/wpad/252=text
> /etc/init.d/univention-dhcp restart

Comment 1 Philipp Hahn

2016-11-25 18:24:33 CET

WPAD is a security disaster and should not be used: <https://www.us-cert.gov/ncas/alerts/TA16-144A>

Comment 2 Sönke Schwardt-Krummrich

2016-12-05 12:06:42 CET

(In reply to Philipp Hahn from comment #1)
> WPAD is a security disaster and should not be used:

I second that.

Comment 3 Michael Grandjean

2017-04-18 12:04:56 CEST

(In reply to Sönke Schwardt-Krummrich from comment #2)
> (In reply to Philipp Hahn from comment #1)
> > WPAD is a security disaster and should not be used:
> 
> I second that.

I don't want to argue with you, but with Bug #31728 we now also provide a wpad.dat next to the proxy.pac, so imho this should really be documented somewhere. Not documenting it doesn't make it any less a security problem.

I regularly have to support customers in turning this off, because of different scenarios where clients need to access a web service on the same subnet without proxy authentication. The most common is a local Windows Updates Repository (Windows Server Update Services , WSUS).

Comment 4 Daniel Tröder

2017-04-18 12:19:14 CEST

Documentation should include information about UCRVs proxy/pac/exclude/*

Comment 5 Daniel Tröder

2017-09-27 12:59:04 CEST

3e90381f: document DHCP option wpad
8ce291ee: fix spelling
97a76be (doc-common): add abbreviations

http://jenkins.knut.univention.de:8080/job/UCSschool%204.2/job/Manual/3/artifact/webroot/ucsschool-handbuch-4.2.html#school:proxy

Comment 6 Sönke Schwardt-Krummrich

2017-10-11 14:35:58 CEST

Did some additions:

doc-common:
86e95304e120 | Bug #37837: add new entries to dictionary

manual:
1cb7700d5e66 | Bug #37837: Merge branch 'sschwardt/37837/42/wpad-manual' into 4.2
4b9002d87d41 | Bug #37837: add line break in example code / fixed typos

Comment 7 Sönke Schwardt-Krummrich

2017-10-16 21:35:41 CEST

UCS@school 4.2 v4 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.2v4-de.html

If this error occurs again, please clone this bug.