back to article Popular cache Squid skids as hacker pops lid

Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers. The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for …

  1. Mr Flibble

    Quoting from squid.conf:


    As described in CVE-2009-0801 when the Host: header alone is used to determine the destination of a request it becomes trivial for malicious scripts on remote websites to bypass browser same-origin security policy and sandboxing protections.

    The cause of this is that such applets are allowed to perform their own HTTP stack, in which case the same-origin policy of the browser sandbox only verifies that the applet tries to contact the same IP as from where it was loaded at the IP level. The Host: header may be different from the connected IP and approved origin.

    This new reported vulnerability sounds… rather similar, and very much related.

  2. Alan J. Wylie

    The bug has been fixed in an official release

    A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.

    It's Bug 4501, fixed in 3.5.18

    Changes to squid-3.5.19 (09 May 2016):

    - Regression Bug 4515: interception proxy hangs

    Changes to squid-3.5.18 (06 May 2016):

    - Bug 4510: stale comment about 32KB limit on shared memory cache entries

    - Bug 4509: EUI compile error on NetBSD

    - Bug 4501: HTTP/1.1: normalize Host header

    - Bug 4498: URL-unescape the login-info after extraction from URI

    - Bug 4455: SegFault from ESIInclude::Start

    - Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program

    - Fix TLS/SSL server handshake alert handling

  3. Doctor Syntax Silver badge

    "... attackers can readily obtain the necessary vantage point using techniques such as web ads."

    Here we go again.

    1. Dadmin

      Stay off the moors, don't go into the moors! Never EVER go into the moors!

      And by moors, I mean that Internet of them Tubes. Thanks yous!

  4. Daggerchild Silver badge

    But it's C++!

    I have horrible scars from trying Squid 3. It was a complete rewrite of the working v2 C program in C++, because C++. It continually painted the walls with its bowels and brains until we retreated, completely defeated.

    It leaked so much we set a memory ulimit on it. It then had a watchdog around it restarting it. It threw C++ exceptions, and didn't catch them. It threw the *same* exception from *multiple* places without the ability to distinguish them. It crashed, after unwinding the callstack to give you no useful data. It allocated space for ALL of a client's promised POST body content length. It made magical auto-elastic allocating C++ buffer objects, that didn't know how to answer when asked how much data they could accept, so everything passed data around in small sips, which the authors hadn't noticed! Performance went through the floor. CPUs burned. Clients hung waiting for data whose size it had miscounted. Regressions. Regressions everywhere.

    I'm sure it's gotten better since, but only a rewrite would fix some of those problems. The cascade of serious bug reports ever since makes me believe it's fundamentally unsalvageable. Paranoia and Performance should have been top of the redesign priority list, but didn't even figure...

    1. Amos

      Re: But it's C++!

      If only it was a complete re-write. Most of what you are mentioning is C memory and assertion behaviour that was left in amongst the C++ code for "backwards compatibility". The (few) actual C++ bits work rather well.

      Including this lovely new vulnerability that I tracked back to Squid 1.1 before the mists of time got in the way.

      1. Daggerchild Silver badge

        Re: But it's C++!

        Squid 3 may have some nice C++ bits, but we could run multiple squid 2's with 50% CPU headroom, where we couldn't run one squid 3 without redlining. Summing everything I found, and everything I did, I could not explain or recover from this massive performance loss.

        I don't think you can blame the legacy C here. C++, j'accuse!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like