__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2004:1 __________________________________________________________________ Advisory ID: SQUID-2004:1 Date: February 29, 2004 Summary: Squid-2.5.STABLE5 fixes and features for URL encoding tricks. Affected versions: Squid-2.x up to and including 2.5.STABLE4 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2004_1.txt __________________________________________________________________ Problem Description: This memo discusses two important changes to Squid that deal with URL encoding issues. These changes are available in Squid version 2.5.STABLE5. The first is a workaround for a recently-discovered Microsoft Internet Explorer bug. The MSIE bug causes certain specially crafted URLs to be incorrectly displayed. In particular, the user sees one hostname, while the request is sent to a different origin server. This bug is triggered by creating a URL that has a hostname in the userinfo credentials field followed by an encoded, non-printable control character. (For additional information, see http://www.kb.cert.org/vuls/id/652278) To help address this problem, Squid now includes a new access control type that can match patterns in the userinfo field. The second fixes a bug in Squid that allows users to bypass certain access controls. Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs. You can also find information on the changes by visiting our patch archive for version Squid-2.5.STABLE5: http://www.squid-cache.org/Versions/v2/2.5/bugs/ ------------------------------------------------------------------ Severity: The MSIE bug does not pose any security problems to Squid itself. However, it does allow your users to be fooled into visiting a malicious site. To block such URLs with Squid, you can use the new 'urllogin' ACL type: acl UserInfoControlChar urllogin [[:cntrl:]] http_access deny UserInfoControlChar NOTE: regular expression libraries may vary from system to system. Please double-check that the "[[:cntrl:]]" works on your particular operating system. The Squid decoding bug may allow clever users to bypass your access controls that use 'url_regex' ACL types. If "%00" appears in the URL, previous Squid versions insert a NUL character when decoding. For example, consider this access control configuration: acl BadSite url_regex www\.example\.com http_access deny BadSite and this URL requested by a user: http://foo%00@www.example.com/ The vulnerable Squid will insert a NUL character after "foo" and make a comparison between "http://foo" and "www\.example\.com". The comparison does not result in a match, and the user's request is not denied. This bug has been fixed by leaving any occurrences of "%00" in place while decoding. __________________________________________________________________ Updated Packages: The Squid-2.5.STABLE5 release contains fixes for these problems. You can download the Squid-2.5.STABLE5 release from ftp://ftp.squid-cache.org/pub/archive/2.5/ http://www.squid-cache.org/Versions/v2/2.5/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Download/ftp-mirrors.html http://www.squid-cache.org/Download/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.5.STABLE4 http://www.squid-cache.org/Versions/v2/2.5/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.5 versions if required. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: To determine which version of Squid you are using, run the command squid -v You are likely to be vulnerable to these issues if you are running version 2.5.STABLE4 or earlier. If you are using a binary or otherwise pre-packaged version please verify with your vendor on which versions are affected as some vendors ship earlier versions with the needed patches applied. Note that unless you have upgraded to a version released after 2003-01-14 you are most likely vulnerable to these issues. There is no easy means to determine if your version is affected other than by the Squid version number. __________________________________________________________________ Other versions of Squid: Versions prior to the 2.5 series are deprecated, please update to Squid-2.5.STABLE5 if you are using a version older than 2.5. These changes have also been made to the Squid-3 source tree. __________________________________________________________________ Workarounds: To address the MSIE URL display bug, you may want to upgrade your Explorer installations if and when a patch is available from Microsoft. You may be able to work around the MSIE bug by developing a Squid redirector. When the redirector program detects a suspicious URL (e.g., with control characters in the userinfo field), it can redirect the user to a local page that describes the issue. The best way to avoid Squid's "%00" bug is to not use any url_regex ACL types. You may want to use dst_domain and/or urlpath_regex types instead. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: Mitch Adair reported %00 bug. Duane Wessels, for patching the %00 bug and adding the urllogin ACL type. __________________________________________________________________ Revision history: 2004-01-14 21:10 GMT Initial release 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END