http://www.squid-cache.org/Advisories/SQUID-2004_1.txt

__________________________________________________________________

       Squid Proxy Cache Security Update Advisory SQUID-2004:1
__________________________________________________________________

Advisory ID:            SQUID-2004:1
Date:                   February 29, 2004
Summary:                Squid-2.5.STABLE5 fixes and features for
                         URL encoding tricks.
Affected versions:      Squid-2.x up to and including 2.5.STABLE4
__________________________________________________________________

        http://www.squid-cache.org/Advisories/SQUID-2004_1.txt
__________________________________________________________________

Problem Description:

  This memo discusses two important changes to Squid that
  deal with URL encoding issues.  These changes are available
  in Squid version 2.5.STABLE5.

  The first is a workaround for a recently-discovered Microsoft
  Internet Explorer bug.  The MSIE bug causes certain specially
  crafted URLs to be incorrectly displayed.  In particular, the
  user sees one hostname, while the request is sent to a different
  origin server.  This bug is triggered by creating a URL that has
  a hostname in the userinfo credentials field followed by an
  encoded, non-printable control character.  (For additional
  information, see http://www.kb.cert.org/vuls/id/652278)
  To help address this problem, Squid now includes a new access
  control type that can match patterns in the userinfo field.

  The second fixes a bug in Squid that allows users to bypass
  certain access controls.  Squid versions 2.5.STABLE4 and earlier
  contain a bug in the "%xx" URL decoding function.  It may insert
  a NUL character into decoded URLs, which may allow users to
  bypass url_regex ACLs.

  You can also find information on the changes by visiting our
  patch archive for version Squid-2.5.STABLE5:

    http://www.squid-cache.org/Versions/v2/2.5/bugs/

------------------------------------------------------------------

Severity:

  The MSIE bug does not pose any security problems to Squid itself.
  However, it does allow your users to be fooled into visiting a
  malicious site.  To block such URLs with Squid, you can use the
  new 'urllogin' ACL type:

     acl UserInfoControlChar urllogin [[:cntrl:]]
     http_access deny UserInfoControlChar
     <additional http_access rules follow>

  NOTE: regular expression libraries may vary from system to
  system.  Please double-check that the "[[:cntrl:]]" works on your
  particular operating system.


  The Squid decoding bug may allow clever users to bypass your
  access controls that use 'url_regex' ACL types.  If "%00" appears
  in the URL, previous Squid versions insert a NUL character when
  decoding.  For example, consider this access control
  configuration:

     acl BadSite url_regex www\.example\.com
     http_access deny BadSite

  and this URL requested by a user:

     http://foo%00@www.example.com/

  The vulnerable Squid will insert a NUL character after "foo" and
  make a comparison between "http://foo" and "www\.example\.com".
  The comparison does not result in a match, and the user's request
  is not denied.

  This bug has been fixed by leaving any occurrences of "%00" in
  place while decoding.

__________________________________________________________________

Updated Packages:

  The Squid-2.5.STABLE5 release contains fixes for these
  problems. You can download the Squid-2.4.STABLE5 release from

    ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
    http://www.squid-cache.org/Versions/v2/2.5/

  or the mirrors (may take a while before all mirrors are updated).
  For a list of mirror sites see

    http://www.squid-cache.org/Mirrors/ftp-mirrors.html
    http://www.squid-cache.org/Mirrors/http-mirrors.html

  Individual patches to the mentioned issues can be found from our
  patch archive for version Squid-2.5.STABLE4

    http://www.squid-cache.org/Versions/v2/2.5/bugs/

  The patches should also apply with only a minimal effort to
  earlier Squid 2.5 versions if required.

  If you are using a prepackaged version of Squid then please
  refer to the package vendor for availability information on
  updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

  To determine which version of Squid you are using, run the command

     squid -v

  You are likely to be vulnerable to these issues if you are
  running version 2.5.STABLE4 or earlier.

  If you are using a binary or otherwise pre-packaged version
  please verify with your vendor on which versions are affected as
  some vendors ship earlier versions with the needed patches
  applied.  Note that unless you have upgraded to a version
  released after 2003-01-14 you are most likely vulnerable to
  these issues.

  There is no easy means to determine if your version is affected
  other than by the Squid version number.

__________________________________________________________________

Other versions of Squid:

  Versions prior to the 2.5 series are deprecated, please update
  to Squid-2.5.STABLE5 if you are using a version older than 2.5.

  These changes have also been made to the Squid-3 source tree.

__________________________________________________________________

Workarounds:

  To address the MSIE URL display bug, you may want to upgrade your
  Explorer installations if and when a patch is available from
  Microsoft.

  You may be able to work around the MSIE bug by developing a
  Squid redirector.  When the redirector program detects a
  suspicious URL (e.g., with control characters in the userinfo
  field), it can redirect the user to a local page that describes
  the issue.

  The best way to avoid Squid's "%00" bug is to not use any
  url_regex ACL types.  You may want to use dst_domain and/or
  urlpath_regex types instead.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support: Your first point of contact
  should be your binary package vendor.

  If your install is built from the original squid sources, then
  the squid-users@squid-cache.org mailing list is your primary
  support point. (see <http://www.squid-cache.org/mailing-lists.html>
  for subscription details).

  For bug reporting, particularly security related bugs the
  squid-bugs@squid-cache.org mailing list is the appropriate forum.
  It's a closed list (though anyone can post) and security related
  bug reports are treated in confidence until the impact has been
  established. For non security related bugs, the squid bugzilla
  database should be used <http://www.squid-cache.org/bugs/>.

__________________________________________________________________

Credits:

  Mitch Adair reported %00 bug.

  Duane Wessels, for patching the %00 bug and adding the urllogin
  ACL type.

__________________________________________________________________

Revision history:

  2004-01-14 21:10 GMT Initial release
__________________________________________________________________
END