48026 – Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4

Bug 48026 - Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4

Summary: Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	squid
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:
Docs Contact:
URL:	http://www.squid-cache.org/Versions/v...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-07-09 14:31 UTC by Paul Nasrat
Modified:	2014-03-17 02:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2001-07-12 22:04:36 UTC
Embargoed:

Attachments	(Terms of Use)
Exploit (1.29 KB, text/plain) 2001-07-09 14:33 UTC, Paul Nasrat	no flags	Details
Sample config file (609 bytes, text/plain) 2001-07-09 14:36 UTC, Paul Nasrat	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:097	0	normal	SHIPPED_LIVE	: New squid packages for Red Hat Linux 7.0	2001-07-12 04:00:00 UTC

Description Paul Nasrat 2001-07-09 14:31:16 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14enterprise i686)

Description of problem:
Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode.  This enables portscanning via squid running in this mode potentially
allowing 

How reproducible:
Always

Steps to Reproduce:
1.Set squid to httpd_accel mode, with a particular host and strict acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:22/
	

Actual Results:  You get a http 200 code if the port is open and sometimes
a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied

Additional info:

RH 7.1 using squid-2.3.STABLE4-10 includes these patches

Comment 1 Paul Nasrat 2001-07-09 14:33:11 UTC

Created attachment 23087 [details]
Exploit

Comment 2 Paul Nasrat 2001-07-09 14:36:54 UTC

Created attachment 23088 [details]
Sample config file

Comment 3 Bill Nottingham 2001-07-23 05:21:25 UTC

Fixed in the errata release.

Note You need to log in before you can comment on or make changes to this bug.