Vigil@nce: Squid, denial of service via comma
August 2009 by Vigil@nce
When Squid is configured with an external ACL, an attacker can use
a comma to generate an infinite loop.
Severity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 19/08/2009
IMPACTED PRODUCTS
– Squid cache
DESCRIPTION OF THE VULNERABILITY
The external_acl_type configuration directive indicates an
external program to manage the access. For example :
external_acl_type my_auth %Cookie:... /bin/my_prog
The second parameter indicates associated items (such as cookies
in this example).
The strListGetItem() function of the file HttpHeaderTools.c
(version 2.x) or HttpHeaderTools.cc (version 3.x) is used to split
associated items. For example, the cookie has to be split as Path,
Expires and Max-Age:
Cookie: ... Path=; Expires=Wed, 31-Dec-97 23:59:59 GMT; Max-Age=0
However, the comma character is handled as a field separator. The
comma located inside the date field thus generates an infinite
loop.
When Squid is configured with an external ACL, an attacker can
therefore use a comma to generate denial of service.
CHARACTERISTICS
Identifiers: 2704, 534982, BID-36091, CVE-2009-2855,
VIGILANCE-VUL-8959
http://vigilance.fr/vulnerability/Squid-denial-of-service-via-comma-8959