[squid-users] [ADVISORY] SQUID-2011:1 Bypass of browser same-origin access control in intercepted communication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 29 Aug 2011 04:57:52 +1200


       Squid Proxy Cache Security Update Advisory SQUID-2011:1

Advisory ID: SQUID-2011:1
Date: August 27, 2011
Summary: Bypass of browser same-origin access
                         control in intercepted communication
Affected versions: Squid 1.x -> 3.1
                         Squid 3.2 ->
Fixed in version: Squid


Problem Description:

  Due to Squid not reusing the original destination address on
  intercepted requests it's possible (even trivial) for flash or
  java applets to bypass the same-origin policy in the browser
  when Squid intercepts HTTP requests.

  The cause to this is that such applets are allowed to perform
  their own HTTP stack, in which case the same-origin policy of
  the browser sandbox only verifies that the applet tries to
  contact the same IP as from where it was loaded at the IP level.
  Squid then uses the Host header to determine which server to
  forward the request to which may be different from the
  connected IP.

  Applies to all Squid releases up to and including



  This problem allows any browser script to bypass local security
  and retrieve arbitrary content from any source.


Updated Packages:

  This bug is fixed by Squid versions

  Due to the design of request handling processes in older Squid
  patches and fixed releases for older versions of Squid are not
  being provided at this time.

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated


Determining if your version is vulnerable:

  Squid and its cache are not harmed by this vulnerability. The
  issue is limited to client browsers.

  All Squid releases of any series up to using the
  http_port 'transparent', 'intercept' or 'tproxy' flags are
  active vectors for this browser vulnerability.



  Turn off NAT and TPROXY interception. Including the http_port
  'transparent', 'intercept' or 'tproxy' flags in squid.conf.


Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users_at_squid-cache.org mailing list is your primary
  support point. For subscription details see

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used

  For reporting of security sensitive bugs send an email to the
  squid-bugs_at_squid-cache.org mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.



  Thanks to Netspace Ltd and Treehouse Networks Ltd for sponsoring
  the architectural changes in Squid-3.2 leading to this solution.

  Thanks to Henrik Nordstrom and Steven Wilton for initial diagnosis.


Revision history:

  2011-08-27 10:06 GMT Initial version
Received on Sun Aug 28 2011 - 16:58:06 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 28 2011 - 12:00:22 MDT