Vigil@nce: Squid, connection to an private service
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use an active technology in order to obtain
information from a private service.
Gravity: 2/4
Consequences: data reading, data flow
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by a trusted third party (4/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/02/2009
IMPACTED PRODUCTS
– Squid cache
DESCRIPTION OF THE VULNERABILITY
The Host header of the HTTP protocol defines the server name. For
example, the "http://example.com/page" url sends the following
HTTP query:
GET /page HTTP/1.1
host: example.com
Proxies, such as Squid, use the Host header value to determine the
server where to connect.
However, some active technologies, such as Flash or Java, can
change the Host header.
An attacker can therefore for example create a web site hosting a
malicious Java applet. When this applet runs in victim’s web
browser, it changes the Host header to request Squid to connect to
another computer (such as a computer unreachable from internet).
The Java applet thus obtains an access to a private service.
CHARACTERISTICS
Identifiers: BID-33858, VIGILANCE-VUL-8486, VU#435052
http://vigilance.fr/vulnerability/Squid-connection-to-an-private-service-8486