Red Hat Bugzilla – Bug 53906
Squid allows all proxy requests in accelerator mode
Last modified: 2014-03-16 22:23:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.6 i686; en-US; rv:0.9.1)
Description of problem:
If squid is configured in acccelerator only mode, it will serve any proxy
request sent to the HTTP port.
This is a known security bug fixed over a year ago (see the ChangeLog of
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.telnet squidaccel server 80
2.GET http://random.remote.server.com/ HTTP/1.0
Actual Results: Squid serves the page.
Expected Results: It should refuse the request.
This bug has been fixed in Squid 2.3stable5 with patch:
This squid website reports this bug was introduces in stable2, but RedHats
stable1 release also has it, due to inclusion of this patch:
This was fixed in the recent errata release of Squid for 6.2.