Published:
02 March 2004
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0175 -- Squid Proxy Cache Security Update Advisory SQUID-2004:1
Squid-2.5.STABLE5 fixes and features for URL encoding tricks
02 March 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Squid-2.5.STABLE5
Publisher: The Squid HTTP Proxy developer team
Impact: Reduced Security
Access Required: Existing Account
CVE Names: CAN-2003-1025
Ref: AA-2003.04
ESB-2004.0083
- --------------------------BEGIN INCLUDED TEXT--------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2004:1
__________________________________________________________________
Advisory ID: SQUID-2004:1
Date: February 29, 2004
Summary: Squid-2.5.STABLE5 fixes and features for
URL encoding tricks.
Affected versions: Squid-2.x up to and including 2.5.STABLE4
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
__________________________________________________________________
Problem Description:
This memo discusses two important changes to Squid that
deal with URL encoding issues. These changes are available
in Squid version 2.5.STABLE5.
The first is a workaround for a recently-discovered Microsoft
Internet Explorer bug. The MSIE bug causes certain specially
crafted URLs to be incorrectly displayed. In particular, the
user sees one hostname, while the request is sent to a different
origin server. This bug is triggered by creating a URL that has
a hostname in the userinfo credentials field followed by an
encoded, non-printable control character. (For additional
information, see http://www.kb.cert.org/vuls/id/652278)
To help address this problem, Squid now includes a new access
control type that can match patterns in the userinfo field.
The second fixes a bug in Squid that allows users to bypass
certain access controls. Squid versions 2.5.STABLE4 and earlier
contain a bug in the "%xx" URL decoding function. It may insert
a NUL character into decoded URLs, which may allow users to
bypass url_regex ACLs.
You can also find information on the changes by visiting our
patch archive for version Squid-2.5.STABLE5:
http://www.squid-cache.org/Versions/v2/2.5/bugs/
- ------------------------------------------------------------------
Severity:
The MSIE bug does not pose any security problems to Squid itself.
However, it does allow your users to be fooled into visiting a
malicious site. To block such URLs with Squid, you can use the
new 'urllogin' ACL type:
acl UserInfoControlChar urllogin [[:cntrl:]]
http_access deny UserInfoControlChar
<additional http_access rules follow>
NOTE: regular expression libraries may vary from system to
system. Please double-check that the "[[:cntrl:]]" works on your
particular operating system.
The Squid decoding bug may allow clever users to bypass your
access controls that use 'url_regex' ACL types. If "%00" appears
in the URL, previous Squid versions insert a NUL character when
decoding. For example, consider this access control
configuration:
acl BadSite url_regex www\.example\.com
http_access deny BadSite
and this URL requested by a user:
http://foo%00@www.example.com/
The vulnerable Squid will insert a NUL character after "foo" and
make a comparison between "http://foo" and "www\.example\.com".
The comparison does not result in a match, and the user's request
is not denied.
This bug has been fixed by leaving any occurrences of "%00" in
place while decoding.
__________________________________________________________________
Updated Packages:
The Squid-2.5.STABLE5 release contains fixes for these
problems. You can download the Squid-2.4.STABLE5 release from
ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
http://www.squid-cache.org/Versions/v2/2.5/
or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see
http://www.squid-cache.org/Mirrors/ftp-mirrors.html
http://www.squid-cache.org/Mirrors/http-mirrors.html
Individual patches to the mentioned issues can be found from our
patch archive for version Squid-2.5.STABLE4
http://www.squid-cache.org/Versions/v2/2.5/bugs/
The patches should also apply with only a minimal effort to
earlier Squid 2.5 versions if required.
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
__________________________________________________________________
Determining if your version is vulnerable:
To determine which version of Squid you are using, run the command
squid -v
You are likely to be vulnerable to these issues if you are
running version 2.5.STABLE4 or earlier.
If you are using a binary or otherwise pre-packaged version
please verify with your vendor on which versions are affected as
some vendors ship earlier versions with the needed patches
applied. Note that unless you have upgraded to a version
released after 2003-01-14 you are most likely vulnerable to
these issues.
There is no easy means to determine if your version is affected
other than by the Squid version number.
__________________________________________________________________
Other versions of Squid:
Versions prior to the 2.5 series are deprecated, please update
to Squid-2.5.STABLE5 if you are using a version older than 2.5.
These changes have also been made to the Squid-3 source tree.
__________________________________________________________________
Workarounds:
To address the MSIE URL display bug, you may want to upgrade your
Explorer installations if and when a patch is available from
Microsoft.
You may be able to work around the MSIE bug by developing a
Squid redirector. When the redirector program detects a
suspicious URL (e.g., with control characters in the userinfo
field), it can redirect the user to a local page that describes
the issue.
The best way to avoid Squid's "%00" bug is to not use any
url_regex ACL types. You may want to use dst_domain and/or
urlpath_regex types instead.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support: Your first point of contact
should be your binary package vendor.
If your install is built from the original squid sources, then
the squid-users@squid-cache.org mailing list is your primary
support point. (see <http://www.squid-cache.org/mailing-lists.html>
for subscription details).
For bug reporting, particularly security related bugs the
squid-bugs@squid-cache.org mailing list is the appropriate forum.
It's a closed list (though anyone can post) and security related
bug reports are treated in confidence until the impact has been
established. For non security related bugs, the squid bugzilla
database should be used <http://www.squid-cache.org/bugs/>.
__________________________________________________________________
Credits:
Mitch Adair reported %00 bug.
Duane Wessels, for patching the %00 bug and adding the urllogin
ACL type.
__________________________________________________________________
Revision history:
2004-01-14 21:10 GMT Initial release
__________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQEQl6yh9+71yA2DNAQFGqwP/YMGWfxNiAgQWu907QXUKTSm+N8B5EqHV
8MRBTuaKJYy4EDTNoarsu7ERoXjzow8eyWg0b3VYFoXloNpVZP/S5YGCBbMN9ofM
4I//kHpxc01ZM7W1HzrPKxOZE6lsgx7ScTdTm46vn3O94WSsw2FqFfkshH1zih1J
hLgM1iAuSEs=
=LE0K
-----END PGP SIGNATURE-----