__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2011:1 __________________________________________________________________ Advisory ID: SQUID-2011:1 Date: August 27, 2011 Summary: Bypass of browser same-origin access control in intercepted communication Affected versions: Squid 1.x -> 3.1 Squid 3.2 -> 3.2.0.10 Fixed in version: Squid 3.2.0.11 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2011_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0801 __________________________________________________________________ Problem Description: Due to Squid not reusing the original destination address on intercepted requests it's possible (even trivial) for flash or java applets to bypass the same-origin policy in the browser when Squid intercepts HTTP requests. The cause to this is that such applets are allowed to perform their own HTTP stack, in which case the same-origin policy of the browser sandbox only verifies that the applet tries to contact the same IP as from where it was loaded at the IP level. Squid then uses the Host header to determine which server to forward the request to which may be different from the connected IP. Applies to all Squid releases up to and including 3.2.0.10. __________________________________________________________________ Severity: This problem allows any browser script to bypass local security and retrieve arbitrary content from any source. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.2.0.11 Due to the design of request handling processes in older Squid patches and fixed releases for older versions of Squid are not being provided at this time. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid and its cache are not harmed by this vulnerability. The issue is limited to client browsers. All Squid releases of any series up to 3.2.0.10 using the http_port 'transparent', 'intercept' or 'tproxy' flags are active vectors for this browser vulnerability. __________________________________________________________________ Workarounds: Turn off NAT and TPROXY interception. Including the http_port 'transparent', 'intercept' or 'tproxy' flags in squid.conf. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: Thanks to Netspace Ltd and Treehouse Networks Ltd for sponsoring the architectural changes in Squid-3.2 leading to this solution. Thanks to Henrik Nordstrom and Steven Wilton for initial diagnosis. __________________________________________________________________ Revision history: 2011-08-27 10:06 GMT Initial version __________________________________________________________________ END