[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 101/04 - Squid Proxy Cache Security Update Advisory SQUID-2004:1


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 101/04 dated 03.03.04  Time: 14:45  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


Squid-2.5.STABLE5 fixes and features for URL encoding tricks.


This memo discusses two important changes to Squid that deal with URL 
encoding issues.  These changes are available in Squid version 2.5.STABLE5.

 ESB-2004.0175 -- Squid Proxy Cache Security Update Advisory SQUID-2004:1
       Squid-2.5.STABLE5 fixes and features for URL encoding tricks
                               02 March 2004

Product:                Squid-2.5.STABLE5
Publisher:              The Squid HTTP Proxy developer team
Impact:                 Reduced Security
Access Required:        Existing Account
CVE Names:              CAN-2003-1025

Ref:                    AA-2003.04


      Squid Proxy Cache Security Update Advisory SQUID-2004:1 __________________________________________________________________

Advisory ID:            SQUID-2004:1
Date:                   February 29, 2004
Summary:                Squid-2.5.STABLE5 fixes and features for
                        URL encoding tricks.
Affected versions:      Squid-2.x up to and including 2.5.STABLE4


Problem Description:

 This memo discusses two important changes to Squid that
 deal with URL encoding issues.  These changes are available
 in Squid version 2.5.STABLE5.

 The first is a workaround for a recently-discovered Microsoft  Internet Explorer bug.  The MSIE bug causes certain specially  crafted URLs to be incorrectly displayed.  In particular, the  user sees one hostname, while the request is sent to a different  origin server.  This bug is triggered by creating a URL that has  a hostname in the userinfo credentials field followed by an  encoded, non-printable control character.  (For additional  information, see http://www.kb.cert.org/vuls/id/652278)
 To help address this problem, Squid now includes a new access  control type that can match patterns in the userinfo field.

 The second fixes a bug in Squid that allows users to bypass  certain access controls.  Squid versions 2.5.STABLE4 and earlier  contain a bug in the "%xx" URL decoding function.  It may insert  a NUL character into decoded URLs, which may allow users to  bypass url_regex ACLs.

 You can also find information on the changes by visiting our  patch archive for version Squid-2.5.STABLE5:


- - ------------------------------------------------------------------


 The MSIE bug does not pose any security problems to Squid itself.  However, it does allow your users to be fooled into visiting a  malicious site.  To block such URLs with Squid, you can use the  new 'urllogin' ACL type:

    acl UserInfoControlChar urllogin [[:cntrl:]]
    http_access deny UserInfoControlChar
    <additional http_access rules follow>

 NOTE: regular expression libraries may vary from system to  system.  Please double-check that the "[[:cntrl:]]" works on your  particular operating system.

 The Squid decoding bug may allow clever users to bypass your  access controls that use 'url_regex' ACL types.  If "%00" appears  in the URL, previous Squid versions insert a NUL character when  decoding.  For example, consider this access control

    acl BadSite url_regex www\.example\.com
    http_access deny BadSite

 and this URL requested by a user:


 The vulnerable Squid will insert a NUL character after "foo" and  make a comparison between "http://foo"; and "www\.example\.com".  The comparison does not result in a match, and the user's request  is not denied.

 This bug has been fixed by leaving any occurrences of "%00" in  place while decoding.


Updated Packages:

 The Squid-2.5.STABLE5 release contains fixes for these  problems. You can download the Squid-2.4.STABLE5 release from


 or the mirrors (may take a while before all mirrors are updated).  For a list of mirror sites see


 Individual patches to the mentioned issues can be found from our  patch archive for version Squid-2.5.STABLE4


 The patches should also apply with only a minimal effort to  earlier Squid 2.5 versions if required.

 If you are using a prepackaged version of Squid then please  refer to the package vendor for availability information on  updated packages.


Determining if your version is vulnerable:

 To determine which version of Squid you are using, run the command

    squid -v

 You are likely to be vulnerable to these issues if you are  running version 2.5.STABLE4 or earlier.

 If you are using a binary or otherwise pre-packaged version  please verify with your vendor on which versions are affected as  some vendors ship earlier versions with the needed patches  applied.  Note that unless you have upgraded to a version  released after 2003-01-14 you are most likely vulnerable to  these issues.

 There is no easy means to determine if your version is affected  other than by the Squid version number.


Other versions of Squid:

 Versions prior to the 2.5 series are deprecated, please update  to Squid-2.5.STABLE5 if you are using a version older than 2.5.

 These changes have also been made to the Squid-3 source tree.



 To address the MSIE URL display bug, you may want to upgrade your  Explorer installations if and when a patch is available from  Microsoft.

 You may be able to work around the MSIE bug by developing a  Squid redirector.  When the redirector program detects a  suspicious URL (e.g., with control characters in the userinfo  field), it can redirect the user to a local page that describes  the issue.

 The best way to avoid Squid's "%00" bug is to not use any  url_regex ACL types.  You may want to use dst_domain and/or  urlpath_regex types instead.


Contact details for the Squid project:

 For installation / upgrade support: Your first point of contact  should be your binary package vendor.

 If your install is built from the original squid sources, then  the squid-users@xxxxxxxxxxxxxxx mailing list is your primary  support point. (see <http://www.squid-cache.org/mailing-lists.html>
 for subscription details).

 For bug reporting, particularly security related bugs the  squid-bugs@xxxxxxxxxxxxxxx mailing list is the appropriate forum.  It's a closed list (though anyone can post) and security related  bug reports are treated in confidence until the impact has been  established. For non security related bugs, the squid bugzilla  database should be used <http://www.squid-cache.org/bugs/>.



 Mitch Adair reported %00 bug.

 Duane Wessels, for patching the %00 bug and adding the urllogin  ACL type.


Revision history:

 2004-01-14 21:10 GMT Initial release __________________________________________________________________

- -
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of squid-cache for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0