Re: [squid-users] Arbitrary HTML code

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 17 Oct 2001 11:28:52 +0200

Your users may worry about it as it makes their browsers open to
cross-site-scripting.

You may consider upgrading to a current Squid version, or at a minimum
to patch the problem. The current Squid version is Squid-2.4.STABLE2 +
some patches <http://www.squid-cache.org/Versions/v2/2.4/bugs/>

Regards
Henrik Nordström
Squid Hacker
MARA Systems AB, Stockholm, Sweden

"Henrik Larsson (GIS)" wrote:
>
> Hello,
>
> Is this something I should worry about? I'm running squid2.3STABLE4 under RH6.1. Should I apply a patch for this?
>
> A security vulnerability in the product allows attackers to
> insert arbitrary HTML code into the response sent back the
> user. This would allow an attacker to send back JavaScript,
> HTML Redirectors, etc.
>
> Details
> Vulnerable systems:
> Squid version 2.3.STABLE4 and prior
> Squid version 2.4.DEVEL4 and prior
>
> Squid does not properly ensure that the text sent back
> to the user is properly encoded as HTML. This enables a
> malicious user to insert script code or other HTML tags, and
> exploit the web browser of any user visiting their page.
>
> Example:
> Accessing the following URL:
> http://www.example.com/<b>test</b>
>
> Will cause the user to get an invalid URL page with
> test in bold.
>
> /henrik
Received on Wed Oct 17 2001 - 03:27:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:47 MST