__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2005:5 __________________________________________________________________ Advisory ID: SQUID-2005:5 Date: April 23, 2005 Summary: HTTP Response Splitting Vulnerabilities Affected versions: Squid 2.5.STABLE7 and earlier __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2005_5.txt __________________________________________________________________ Problem Description: Squid is susceptible to a class of attacks known as "HTTP Response Splitting." These attacks involve tricking servers into sending malformed or unexpected HTTP responses by exploiting weaknesses in input validation on dynamic pages. This may in some situations lead to cache poisoning. __________________________________________________________________ Severity: This problem is serious because it allows an determined attacker with control over a client to poison Squid's cache on sites where this attack is possible. However, the major aspects of this problem is easily fixed by disabling (at least temporarily) HTTP persistent connections as Squid already has several built-in sanity checks against this type of attack. Due to the nature of this attack it is impossible to fully cover all aspects at the proxy, but with the changes introduced utilizing this weakness of HTTP servers via a Squid proxy is considerably harder and will with a very high probability leave visible traces in cache.log of the Squid server making it easier to detect any such activity on your network. __________________________________________________________________ Collateral Damage: After closing these vulnerabilities, Squid will emit warnings on certain web sites sending oversized responses without an attack actually taking place. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 2.5.STABLE8 In addition, two patches addressing different aspects of this problem can be found In our our patch archive for version Squid-2.5.STABLE7: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-oversize_reply_headers These patches depends on the header_parsing patch mentioned in Squid Advisory SQUID-2005:4 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid versions up to, and including, 2.5.STABLE7 are vulnerable. __________________________________________________________________ Workarounds: The simplest workaround is to disable HTTP persistent connections. Add these lines to your squid.conf: client_persistent_connections off server_persistent_connections off __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original Squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: The vulnerability was published by Watchfire in their HTTP Response Splitting whitepaper __________________________________________________________________ Revision history: 2005-04-23 07:15 GMT Initial version 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END