Re: [squid-users] Squid 3.2.1 is available

From: Eliezer Croitoru <>
Date: Thu, 16 Aug 2012 00:15:15 +0300

Downloaded the source from JP mirror and compiled.
Works like a charm with http interception and http cache_peer.

On 8/15/2012 2:29 PM, Amos Jeffries wrote:
> * CVE-2009-0801 : NAT interception vulnerability to malicious clients.
about this "bug" i tried to read about it just of curiosity but i didnt
understood the actual vulnerability.
in the bugzilla it states:
Due to Squid not reusing the original destination address on intercepted
requests it's possible (even trivial) for flash or java applets to
bypass the
same-origin policy in the browser when Squid intercepts HTTP requests.

The cause to this is that such applets are allowed to perform their own HTTP
stack, in which case the same-origin policy of the browser sandbox only
verifies that the applet tries to contact the same IP as from where it was
loaded at the IP level. Squid then uses the Host header to determine which
server to forward the request to which may be different from the
connected IP.

Applies to all Squid releases.

well this is the basic expected behavior of a proxy to verify the
destination host and NAT interception.

even if the destination IP is not the same as the connected one it still
validates the same host\domain so what is the problem?


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Wed Aug 15 2012 - 21:16:17 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 16 2012 - 12:00:02 MDT