Vilig@nce: squidGuard, bypassing with a dot
February 2009 by Marc Jacob
SYNTHESIS OF THE VULNERABILITY
An attacker can add a dot in the url in order to bypass the
restriction imposed by squidGuard.
Gravity: 2/4
Consequences: data flow
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/02/2009
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The squidGuard software is used with the Squid proxy in order to
forbid the access to urls not allowed by the security policy. For
example, the following url can be blocked:
http://www.example.com/malicious
A domain name can end with a dot to indicate the root. For
example: "www.example.com.".
The branch 2 of Squid automatically filters dots at the end of
domain names. The branch 3 does not do it anymore.
However, squidGuard was not conceived to handle domains ending
with a dot. It thus think that urls are different. For example:
http://www.example.com/malicious
is different from:
http://www.example.com./malicious
An attacker can therefore add a dot in the url in order to bypass
the restriction imposed by squidGuard.
CHARACTERISTICS
Identifiers: FEDORA-2009-1520, FEDORA-2009-1523, SG-2008-06-13,
VIGILANCE-VUL-8470
http://vigilance.fr/vulnerability/squidGuard-bypassing-with-a-dot-8470