Bug 1645146 (CVE-2018-19131)
Summary: | CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | anon.amish, code, jonathansteffan, luhliari, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Squid 4.4, Squid 3.5 | Doc Type: | If docs needed, set a value |
Doc Text: |
A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-25 22:20:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1645147, 1645148, 1651557 | ||
Bug Blocks: | 1645151 |
Description
Pedro Sampaio
2018-11-01 13:47:01 UTC
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1645147] When Squid produces a ERR_SECURE_CONNECT_FAIL, the origin content server certificate's information are displayed as part of the error page without proper escaping. An attacker who can control the certificate used on the origin content server and that can produce a ERR_SECURE_CONNECT_FAIL error may be able to inject scripting code in the generated page, which will be executed in the client's browser. Squid on RHEL 6 does not escape the certificate's information properly, but it has no page that uses the "%D" format to print them. External References: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt Mitigation: Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages. |