Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors. Upstream advisory: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt Upstream patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1645147]
When Squid produces a ERR_SECURE_CONNECT_FAIL, the origin content server certificate's information are displayed as part of the error page without proper escaping. An attacker who can control the certificate used on the origin content server and that can produce a ERR_SECURE_CONNECT_FAIL error may be able to inject scripting code in the generated page, which will be executed in the client's browser.
Squid on RHEL 6 does not escape the certificate's information properly, but it has no page that uses the "%D" format to print them.
External References: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
Mitigation: Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.