Bug 48026 - Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4
Summary: Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: squid
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL: http://www.squid-cache.org/Versions/v...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-07-09 14:31 UTC by Paul Nasrat
Modified: 2014-03-17 02:21 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2001-07-12 22:04:36 UTC


Attachments (Terms of Use)
Exploit (1.29 KB, text/plain)
2001-07-09 14:33 UTC, Paul Nasrat
no flags Details
Sample config file (609 bytes, text/plain)
2001-07-09 14:36 UTC, Paul Nasrat
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:097 normal SHIPPED_LIVE : New squid packages for Red Hat Linux 7.0 2001-07-12 04:00:00 UTC

Description Paul Nasrat 2001-07-09 14:31:16 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14enterprise i686)

Description of problem:
Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode.  This enables portscanning via squid running in this mode potentially
allowing 

How reproducible:
Always

Steps to Reproduce:
1.Set squid to httpd_accel mode, with a particular host and strict acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:22/
	

Actual Results:  You get a http 200 code if the port is open and sometimes
a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied

Additional info:

RH 7.1 using squid-2.3.STABLE4-10 includes these patches

Comment 1 Paul Nasrat 2001-07-09 14:33:11 UTC
Created attachment 23087 [details]
Exploit

Comment 2 Paul Nasrat 2001-07-09 14:36:54 UTC
Created attachment 23088 [details]
Sample config file

Comment 3 Bill Nottingham 2001-07-23 05:21:25 UTC
Fixed in the errata release.


Note You need to log in before you can comment on or make changes to this bug.