RE: [squid-users] Arbitrary HTML code

OK. Sorry about a stupid question, but how do I get the patch and how do I install it?

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: den 17 oktober 2001 11:29
To: Henrik Larsson (GIS)
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Arbitrary HTML code

Your users may worry about it as it makes their browsers open to
cross-site-scripting.

You may consider upgrading to a current Squid version, or at a minimum
to patch the problem. The current Squid version is Squid-2.4.STABLE2 +
some patches <http://www.squid-cache.org/Versions/v2/2.4/bugs/>

Regards
Henrik Nordström
Squid Hacker
MARA Systems AB, Stockholm, Sweden

"Henrik Larsson (GIS)" wrote:
>
> Hello,
>
> Is this something I should worry about? I'm running squid2.3STABLE4 under RH6.1. Should I apply a patch for this?
>
> A security vulnerability in the product allows attackers to
> insert arbitrary HTML code into the response sent back the
> user. This would allow an attacker to send back JavaScript,
> HTML Redirectors, etc.
>
> Details
> Vulnerable systems:
> Squid version 2.3.STABLE4 and prior
> Squid version 2.4.DEVEL4 and prior
>
> Squid does not properly ensure that the text sent back
> to the user is properly encoded as HTML. This enables a
> malicious user to insert script code or other HTML tags, and
> exploit the web browser of any user visiting their page.
>
> Example:
> Accessing the following URL:
> http://www.example.com/<b>test</b>
>
> Will cause the user to get an invalid URL page with
> test in bold.
>
> /henrik
Received on Wed Oct 17 2001 - 04:02:42 MDT