Bug 48026 - Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4
Squid passes acl's in httpd_accel mode in squid-2.3.STABLE4
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: squid (Show other bugs)
7.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
http://www.squid-cache.org/Versions/v...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-07-09 10:31 EDT by Paul Nasrat
Modified: 2014-03-16 22:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-12 18:04:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Exploit (1.29 KB, text/plain)
2001-07-09 10:33 EDT, Paul Nasrat
no flags Details
Sample config file (609 bytes, text/plain)
2001-07-09 10:36 EDT, Paul Nasrat
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:097 normal SHIPPED_LIVE : New squid packages for Red Hat Linux 7.0 2001-07-12 00:00:00 EDT

  None (edit)
Description Paul Nasrat 2001-07-09 10:31:16 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14enterprise i686)

Description of problem:
Squid has a known bug in 2.3STABLE4 which ignores acl's in httpd_accel
mode.  This enables portscanning via squid running in this mode potentially
allowing 

How reproducible:
Always

Steps to Reproduce:
1.Set squid to httpd_accel mode, with a particular host and strict acl's
2. export httpd_proxy="http://squid-server:port"
3. lynx http://victim:22/
	

Actual Results:  You get a http 200 code if the port is open and sometimes
a response with some services SSH, SMTP, etc

Expected Results:  Should be access denied

Additional info:

RH 7.1 using squid-2.3.STABLE4-10 includes these patches
Comment 1 Paul Nasrat 2001-07-09 10:33:11 EDT
Created attachment 23087 [details]
Exploit
Comment 2 Paul Nasrat 2001-07-09 10:36:54 EDT
Created attachment 23088 [details]
Sample config file
Comment 3 Bill Nottingham 2001-07-23 01:21:25 EDT
Fixed in the errata release.

Note You need to log in before you can comment on or make changes to this bug.