Bug 817521 (CVE-2012-2213)

Summary: CVE-2012-2213 squid: URL filtering bypass
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CANTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: henrik, jonathansteffan, mluscon, prc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-18 13:24:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 817524    
Attachments:
Description Flags
Reproducer from original post none

Description Jan Lieskovsky 2012-04-30 11:51:57 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2213 to the following vulnerability:

** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br.

References:
[1] http://archives.neohapsis.com/archives/bugtraq/2012-04/0117.html
[2] http://archives.neohapsis.com/archives/bugtraq/2012-04/0131.html
[3] http://archives.neohapsis.com/archives/bugtraq/2012-04/0146.html
[4] http://archives.neohapsis.com/archives/bugtraq/2012-04/0140.html
[5] http://archives.neohapsis.com/archives/bugtraq/2012-04/0163.html
[6] http://archives.neohapsis.com/archives/bugtraq/2012-04/0165.html
Comment 1 Jan Lieskovsky 2012-04-30 11:53:21 UTC 
Created attachment 581172 [details]
Reproducer from original post
Comment 6 Stefan Cornelius 2012-05-18 13:24:52 UTC 
The exact conditions this was tested under are unknown and the reporter can not provide enough additional information (used squid configuration file for example) to properly evaluate this report for security relevance. Currently it is unknown, whether this problem constitutes a new security flaw or if it is just result of improper configuration.


Statement:

We do not currently plan to fix this issue due to the lack of further information about the flaw and its impact. If more information becomes available at a future date, we may revisit the issue.