SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Squid Vendors:  Squid-cache.org
(Red Hat Issues Fix for Fedora) Squid Proxy Cache '%00' URL Character Access Control Bug May Let Remote Users Bypass Certain Access Controls
SecurityTracker Alert ID:  1009830
CVE Reference:  CAN-2004-0189   (Links to External Site)
Date:  Apr 16 2004
Impact:  Host/resource access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): Squid-2.x up to and including 2.5.STABLE4
Description:  A vulnerability was reported in the Squid Proxy Cache server in the processing of URLs containing '%00'. A remote user may be able to bypass certain access controls.

It is reported that a flaw in the '%xx' URL decoding function may allow a remote user to bypass access controls that use 'url_regex' access control list (ACL) types. The report indicates that Squid will insert a NUL character in place of '%00' in a URL before analyzing the URL for access control purposes. As a result, the 'http://foo%00@www.example.com/' URL will not be properly detected as a URL to be denied in accordance with the following type of access control configuration:

acl BadSite url_regex www\.example\.com
http_access deny BadSite

In this example, Squid will attempt to compare 'http://foo' with 'www\.example\.com' and will not find a match, so the URL will not be denied.

Mitch Adair is credited with reporting this flaw.
Impact:  A remote user may be able to submit a specially crafted URL to bypass url_regex access controls.
Solution:  Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

5b3bd9a972398edcacf4801ddc5718a2 SRPMS/squid-2.5.STABLE3-1.fc1.src.rpm
c48dccb3751ed519ac1189c8183540b7 i386/squid-2.5.STABLE3-1.fc1.i386.rpm
9a6eb17ff52b70020252026bb77b9279 i386/debug/squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm
6754ae8a0898506e7488975f9bb43cca x86_64/squid-2.5.STABLE3-1.fc1.x86_64.rpm
617e9faefdfc4a3fa1c9018e0ac7787f x86_64/debug/squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm
Vendor URL:  www.squid-cache.org/Advisories/SQUID-2004_1.txt (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  1.fc1
Reported By:  Jay Fenlason <fenlason@redhat.com>
Message History:   This archive entry is a follow-up to the message listed below.
Mar 1 2004 Squid Proxy Cache '%00' URL Character Access Control Bug May Let Remote Users Bypass Certain Access Controls


 Source Message Contents
Date:  Thu, 15 Apr 2004 14:33:56 -0400
From:  Jay Fenlason <fenlason@redhat.com>
Subject:  [SECURITY] Updated squid package fixes a security vulnerability

 

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-104
2004-04-15
---------------------------------------------------------------------

Name        : squid
Version     : 2.5.STABLE3                      
Release     : 1.fc1                  
Summary     : The Squid proxy caching server.
Description :
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,
non-blocking, I/O-driven process. Squid keeps meta data and especially
hot objects cached in RAM, caches DNS lookups, supports non-blocking
DNS lookups, and implements negative caching of failed requests.

Squid consists of a main server program squid, a Domain Name System
lookup program (dnsserver), a program for retrieving FTP data
(ftpget), and some management and client tools.

---------------------------------------------------------------------
Update Information:

---------------------------------------------------------------------
* Tue Mar 09 2004 Jay Fenlason <fenlason@redhat.com> 7:2.5.STABLE3-1.fc1

- Backport security fix for %00 hole.  See CAN-2004-0189:             
    The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows
    remote attackers to bypass url_regex ACLs via a URL with a NULL       
    ("%00") characterm, which causes Squid to use only a portion of the
    requested URL when comparing it against the access control lists.  
- Backport security fix that adds urllogin acl type that can be used to
  protect vulnerable Microsoft Internet Explorer clients.


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

5b3bd9a972398edcacf4801ddc5718a2  SRPMS/squid-2.5.STABLE3-1.fc1.src.rpm
c48dccb3751ed519ac1189c8183540b7  i386/squid-2.5.STABLE3-1.fc1.i386.rpm
9a6eb17ff52b70020252026bb77b9279  i386/debug/squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm
6754ae8a0898506e7488975f9bb43cca  x86_64/squid-2.5.STABLE3-1.fc1.x86_64.rpm
617e9faefdfc4a3fa1c9018e0ac7787f  x86_64/debug/squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------


--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC