Bug 1645146 (CVE-2018-19131) - CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors
Summary: CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response mes...
Keywords:
Status: NEW
Alias: CVE-2018-19131
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1651557 1645147 1645148
Blocks: 1645151
TreeView+ depends on / blocked
 
Reported: 2018-11-01 13:47 UTC by Pedro Sampaio
Modified: 2019-09-29 15:01 UTC (History)
7 users (show)

Fixed In Version: Squid 4.4, Squid 3.5
Doc Type: If docs needed, set a value
Doc Text:
A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2018-11-01 13:47:01 UTC
Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors.

Upstream advisory:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Upstream patch:

http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch

Comment 1 Pedro Sampaio 2018-11-01 13:47:54 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1645147]

Comment 4 Riccardo Schirone 2018-11-20 10:25:27 UTC
When Squid produces a ERR_SECURE_CONNECT_FAIL, the origin content server certificate's information are displayed as part of the error page without proper escaping. An attacker who can control the certificate used on the origin content server and that can produce a ERR_SECURE_CONNECT_FAIL error may be able to inject scripting code in the generated page, which will be executed in the client's browser.

Comment 5 Riccardo Schirone 2018-11-20 10:41:13 UTC
Squid on RHEL 6 does not escape the certificate's information properly, but it has no page that uses the "%D" format to print them.

Comment 7 Riccardo Schirone 2018-11-20 10:45:31 UTC
External References:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Comment 8 Riccardo Schirone 2018-11-20 10:45:39 UTC
Mitigation:

Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.


Note You need to log in before you can comment on or make changes to this bug.