Bug 1199518 (CVE-2015-0881) - CVE-2015-0881 squid: CRLF injection flaw permitting HTTP response splitting attacks
Summary: CVE-2015-0881 squid: CRLF injection flaw permitting HTTP response splitting a...
Alias: CVE-2015-0881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2015-03-06 14:43 UTC by Martin Prpič
Modified: 2021-02-17 05:33 UTC (History)
5 users (show)

Fixed In Version: squid 3.1.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-03-06 14:44:04 UTC

Attachments (Terms of Use)

Description Martin Prpič 2015-03-06 14:43:37 UTC
A CRLF injection flaw was found in Squid that could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a specially crafted header in a response.

Note that the initial report of this issue was submitted to upstream in 2009. Only Squid 1.x, 2.x, and 3.0 releases are vulnerable.

Additional information:


Upstream Patch:


Comment 1 Martin Prpič 2015-03-06 14:44:04 UTC

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 ships version 3.1.10 and Red Hat Enterprise Linux 7 ships version 3.3.8 of squide, both of which include the fix for this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 2 Martin Prpič 2015-04-03 10:34:07 UTC
The root cause of this issue is that Squid read more than Content-Length bytes from a request and sent back everything that was received, even beyond what was specified in the Content-Length header. For example, a redirect request with a Content-Length header set to "0" could include an HTML body that would not be parsed, and would be directly sent in the response. This could be used by an attacker to split the response and include arbitrary HTML in the second response, poison the cache with this response, and potentially conduct other attacks such as CSRF or XSS.

The flaw was fixed by truncating response bodies to what is specified in the Content-Length header. This assures that requests that specify a correct content length cannot be used to carry other arbitrary content that may not be parsed. The code introduced a truncateVirginBody() function that handles this.

On RHEL 5, which includes Squide version 2.6, this function is missing and responses are not truncated. Thus, RHEL 5 is affected by this flaw. There is currently no known workaround for this issues besides patching Squid with the patch linked to in comment #0.

RHEL 6.0 shipped with Squid version 3.1.4, in which this flaw was already fixed and the code contains the truncateVirginBody() function that prevents the exploitation of this issue. Similarly, RHEL 7.0 was shipped with 3.3.8 in which this flaw has already been fixed as well.

Note You need to log in before you can comment on or make changes to this bug.