From 48afa4febc914031153792c8cb16d39e2dedfa3a Mon Sep 17 00:00:00 2001 From: nectar Date: Mon, 24 Jan 2005 19:39:20 +0000 Subject: Document a possible cache-poisoning issue affecting squid. Submitted by: Thomas-Martin Seck --- security/vuxml/vuln.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 1c8d42d7a5a..efedde2c846 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,48 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> + + squid -- possible cache-poisoning via malformed HTTP + responses + + + squid + 2.5.7_9 + + + + +

The squid patches page notes:

+
+

This patch makes Squid considerably stricter while + parsing the HTTP protocol.

+
    +
  1. A Content-length header should only appear once in a + valid request or response. Multiple Content-length + headers, in conjunction with specially crafted requests, + may allow Squid's cache to be poisioned with bad content + in certain situations.
    2. +
  2. CR characters is only allowed as part of the CR NL + line terminator, not alone. This to ensure that all + involved agrees on the structure of HTTP headers.
    3. +
  3. Rejects requests/responses that have whitespace in an + HTTP header name.
    4. +
+
+

To enable these strict parsing rules, update to at least + squid-2.5.7_9 and specify relaxed_header_parser + off in squid.conf.

+ + + + http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing + + + 2005-01-24 + 2005-01-24 + + + bugzilla -- cross-site scripting vulnerability -- cgit