[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Squid URL Filtering Bypass

On 17/04/2012 10:11 a.m., Gabriel Menezes Nunes wrote:
# Exploit Title: Squid URL Filtering Bypass
# Date: 16/04/2012
# Author: Gabriel Menezes Nunes
# Version: Squid Proxy
# Tested on: Squid Proxy 3.1.19
# CVE: CVE-2012-2213

I found a vulnerability in Squid Proxy that allows access to filtered sites.
The software believes in the Host field of HTTP Header using CONNECT method.

Host: www.facebook.com

It is blocked.

CONNECT HTTP/1.1 (without host field)

It is blocked.


Host: www.uol.com.br (allowed url)

The connection works.

 From here, I can send SSL traffic without a problem. This way, I can
access any blocked site that allows SSL connections.

This vulnerability is different from the CONNECT Tunnel method. The
flaw is on the Host field processing. The software believes on this

So, any sites can be accessed. URL filtering in this software is
irrelevant and useless.
One of the most important (if not the most important) feature of this
kind of device is to protect the network in accessing specific URLs.
So, this flaw is very dangerous, and it can be implemented even in
malwares, bypassing any protection.
I developed a python script that acts like a proxy and it uses this
flaw to access any site.
This tool is just a proof of concept.

Can you please email these details and the squid.conf used to find it to the security bugs reporting address bugs at squid-cache.org.

This appears to be an aspect of same-origin bypass (CVE-2009-0801) or something closely related.

Thank You
Amos Jeffries
Squid Software Foundation