1645146 – (CVE-2018-19131) CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors

Bug 1645146 (CVE-2018-19131) - CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors

Summary: CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response mes...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-19131
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1645147 1645148 1651557
Blocks:	1645151
TreeView+	depends on / blocked

Reported:	2018-11-01 13:47 UTC by Pedro Sampaio
Modified:	2022-03-13 15:56 UTC (History)
CC List:	5 users (show)
Fixed In Version:	Squid 4.4, Squid 3.5
Doc Type:	If docs needed, set a value
Doc Text:	A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser.
Clone Of:
Environment:
Last Closed:	2021-10-25 22:20:53 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2018-11-01 13:47:01 UTC

Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors.

Upstream advisory:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Upstream patch:

http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch

Comment 1 Pedro Sampaio 2018-11-01 13:47:54 UTC

Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1645147]

Comment 4 Riccardo Schirone 2018-11-20 10:25:27 UTC

When Squid produces a ERR_SECURE_CONNECT_FAIL, the origin content server certificate's information are displayed as part of the error page without proper escaping. An attacker who can control the certificate used on the origin content server and that can produce a ERR_SECURE_CONNECT_FAIL error may be able to inject scripting code in the generated page, which will be executed in the client's browser.

Comment 5 Riccardo Schirone 2018-11-20 10:41:13 UTC

Squid on RHEL 6 does not escape the certificate's information properly, but it has no page that uses the "%D" format to print them.

Comment 7 Riccardo Schirone 2018-11-20 10:45:31 UTC

External References:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Comment 8 Riccardo Schirone 2018-11-20 10:45:39 UTC

Mitigation:

Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.

Note You need to log in before you can comment on or make changes to this bug.