AUSCERT External Security Bulletin Redistribution

 ESB-2004.0175 -- Squid Proxy Cache Security Update Advisory SQUID-2004:1
       Squid-2.5.STABLE5 fixes and features for URL encoding tricks
                               02 March 2004


        AusCERT Security Bulletin Summary

Product:                Squid-2.5.STABLE5
Publisher:              The Squid HTTP Proxy developer team
Impact:                 Reduced Security
Access Required:        Existing Account
CVE Names:              CAN-2003-1025

Ref:                    AA-2003.04

- --------------------------BEGIN INCLUDED TEXT--------------------


      Squid Proxy Cache Security Update Advisory SQUID-2004:1

Advisory ID:            SQUID-2004:1
Date:                   February 29, 2004
Summary:                Squid-2.5.STABLE5 fixes and features for
                        URL encoding tricks.
Affected versions:      Squid-2.x up to and including 2.5.STABLE4


Problem Description:

 This memo discusses two important changes to Squid that
 deal with URL encoding issues.  These changes are available
 in Squid version 2.5.STABLE5.

 The first is a workaround for a recently-discovered Microsoft
 Internet Explorer bug.  The MSIE bug causes certain specially
 crafted URLs to be incorrectly displayed.  In particular, the
 user sees one hostname, while the request is sent to a different
 origin server.  This bug is triggered by creating a URL that has
 a hostname in the userinfo credentials field followed by an
 encoded, non-printable control character.  (For additional
 information, see http://www.kb.cert.org/vuls/id/652278)
 To help address this problem, Squid now includes a new access
 control type that can match patterns in the userinfo field.

 The second fixes a bug in Squid that allows users to bypass
 certain access controls.  Squid versions 2.5.STABLE4 and earlier
 contain a bug in the "%xx" URL decoding function.  It may insert
 a NUL character into decoded URLs, which may allow users to
 bypass url_regex ACLs.

 You can also find information on the changes by visiting our
 patch archive for version Squid-2.5.STABLE5:


- ------------------------------------------------------------------


 The MSIE bug does not pose any security problems to Squid itself.
 However, it does allow your users to be fooled into visiting a
 malicious site.  To block such URLs with Squid, you can use the
 new 'urllogin' ACL type:

    acl UserInfoControlChar urllogin [[:cntrl:]]
    http_access deny UserInfoControlChar
    <additional http_access rules follow>

 NOTE: regular expression libraries may vary from system to
 system.  Please double-check that the "[[:cntrl:]]" works on your
 particular operating system.

 The Squid decoding bug may allow clever users to bypass your
 access controls that use 'url_regex' ACL types.  If "%00" appears
 in the URL, previous Squid versions insert a NUL character when
 decoding.  For example, consider this access control

    acl BadSite url_regex www\.example\.com
    http_access deny BadSite

 and this URL requested by a user:


 The vulnerable Squid will insert a NUL character after "foo" and
 make a comparison between "http://foo" and "www\.example\.com".
 The comparison does not result in a match, and the user's request
 is not denied.

 This bug has been fixed by leaving any occurrences of "%00" in
 place while decoding.


Updated Packages:

 The Squid-2.5.STABLE5 release contains fixes for these
 problems. You can download the Squid-2.4.STABLE5 release from


 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see


 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.5.STABLE4


 The patches should also apply with only a minimal effort to
 earlier Squid 2.5 versions if required.

 If you are using a prepackaged version of Squid then please
 refer to the package vendor for availability information on
 updated packages.


Determining if your version is vulnerable:

 To determine which version of Squid you are using, run the command

    squid -v

 You are likely to be vulnerable to these issues if you are
 running version 2.5.STABLE4 or earlier.

 If you are using a binary or otherwise pre-packaged version
 please verify with your vendor on which versions are affected as
 some vendors ship earlier versions with the needed patches
 applied.  Note that unless you have upgraded to a version
 released after 2003-01-14 you are most likely vulnerable to
 these issues.

 There is no easy means to determine if your version is affected
 other than by the Squid version number.


Other versions of Squid:

 Versions prior to the 2.5 series are deprecated, please update
 to Squid-2.5.STABLE5 if you are using a version older than 2.5.

 These changes have also been made to the Squid-3 source tree.



 To address the MSIE URL display bug, you may want to upgrade your
 Explorer installations if and when a patch is available from

 You may be able to work around the MSIE bug by developing a
 Squid redirector.  When the redirector program detects a
 suspicious URL (e.g., with control characters in the userinfo
 field), it can redirect the user to a local page that describes
 the issue.

 The best way to avoid Squid's "%00" bug is to not use any
 url_regex ACL types.  You may want to use dst_domain and/or
 urlpath_regex types instead.


Contact details for the Squid project:

 For installation / upgrade support: Your first point of contact
 should be your binary package vendor.

 If your install is built from the original squid sources, then
 the squid-users@squid-cache.org mailing list is your primary
 support point. (see <http://www.squid-cache.org/mailing-lists.html>
 for subscription details).

 For bug reporting, particularly security related bugs the
 squid-bugs@squid-cache.org mailing list is the appropriate forum.
 It's a closed list (though anyone can post) and security related
 bug reports are treated in confidence until the impact has been
 established. For non security related bugs, the squid bugzilla
 database should be used <http://www.squid-cache.org/bugs/>.



 Mitch Adair reported %00 bug.

 Duane Wessels, for patching the %00 bug and adding the urllogin
 ACL type.


Revision history:

 2004-01-14 21:10 GMT Initial release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967