No I don't read vuln-dev. However, Squid has not been audited at all for
cross-site scripting vulnerabilities or other places where plain text
are sent as HTML. There is not a single place there text is HTML
encoded.
There are issues like this in
a) Error page generation
b) FTP listings and messages
c) Probably also in gopher and wais
The error page generation is the most critical as this is exploitable at
the client to do cross-site scripting. The other mostly fails..
I certainly does not object to fixing this, however please keep in mind
that simply encoding < > & is not enought as there are buggy clients
around reading their 8-bit variants as 7-bit characters... so to be on
the safe site the following encoding should be used:
& -> &
< -> <
> -> >
<32 >=127 -> &NN; where NN is the hexadecimal value of the character
(unsigned char).
/Henrik
Adrian Chadd wrote:
>
> On Sun, Oct 29, 2000, Robert Collins wrote:
> > There's a new issue with squid been reported on vuln-dev:
> >
> > a url like
> > http://123.microsoft.com/<script>alert(this.document.cookie)</script>
> > does not have it's html entities quoted (ie & > &) before display on an
> > errorpage. This allows cross site scripting attacks against all clients
> > behind squid proxies.
> >
> > I suggest we add a html library file similar to the rfc1738 one to take a
> > string and return a "safe to show on a web page" by escaping all the known
> > entities.
> >
> > Probably there is a "standard way of doing this" - perhaps the xml library
> > or some other library can just be linked in....
>
> Interesting. Ok, I'll commit what you've sent as a patch unless anyone
> objects in the next couple days.
>
> --
> Adrian Chadd "God: Damn! I left pot everywhere!
> <adrian@creative.net.au> Now I'll have to create Republicans!"
> - Bill Hicks
Received on Sun Oct 29 2000 - 14:06:16 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST