Bug 48026

Summary: Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4
Product: [Retired] Red Hat Linux Reporter: Paul Nasrat <pnasrat>
Component: squidAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.squid-cache.org/Versions/v2/2.3/bugs/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-07-12 22:04:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Exploit
none
Sample config file none

Description Paul Nasrat 2001-07-09 14:31:16 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14enterprise i686)

Description of problem:
Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode.  This enables portscanning via squid running in this mode potentially
allowing 

How reproducible:
Always

Steps to Reproduce:
1.Set squid to httpd_accel mode, with a particular host and strict acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:22/
	

Actual Results:  You get a http 200 code if the port is open and sometimes
a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied

Additional info:

RH 7.1 using squid-2.3.STABLE4-10 includes these patches
Comment 1 Paul Nasrat 2001-07-09 14:33:11 UTC 
Created attachment 23087 [details]
Exploit
Comment 2 Paul Nasrat 2001-07-09 14:36:54 UTC 
Created attachment 23088 [details]
Sample config file
Comment 3 Bill Nottingham 2001-07-23 05:21:25 UTC 
Fixed in the errata release.