[squid-users] Security Flaw from SQUIDCACHE on 2002-06-27 (squid-users)

From: SQUIDCACHE <squidcache@dont-contact.us>
Date: Thu, 27 Jun 2002 10:19:19 -0300

I saw that in some ACL´s configuration there is a security flaw when i do an ACL schema like this

****************************** squid.conf **************************************************************************
authenticate_program /usr/local/squid/libexec/squid/smb_auth -W YourDomainHere -U YourPDCHere

acl okdomains .cisco.com .sun.com .oracle.com .anydomain.com

acl domainusers proxy_auth REQUIRED

acl prohibitedsites dstdomain .msgr.hotmail.com cs.yahoo.com

http_access deny prohibitedsites
http_access allow okdomains
http_access allow domainusers !okdomains

****************************** squid.conf **************************************************************************

If first connect to a non "okdomains" the squid-cache will ask for authorization, this authorization will remain cached in the browser an will be used in the next hit´s then if you try to reach some page from the "okdomains" list, the browser, will resend de authorization credentials. Remember for the ACL´s schema that the "okdomains" do not need authorization so when it reach the http.c line 689

********************************************* http.c ***********************************************************

case HDR_PROXY_AUTHORIZATION:
            /* If we're not doing proxy auth, then it must be passed on */
            if (!request->flags.used_proxy_auth)
                httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
            break;
        case HDR_AUTHORIZATION:
            /* If we're not doing www auth, then it must be passed on */
            if (!request->flags.accelerated || !request->flags.used_proxy_auth)
                httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
            else

********************************************* http.c ***********************************************************

this domain not need authorization so squid-cache will put the authorization in the request.

I suspect that this occur only in a mixed schema with domains that need authorization and domains that not need the authorization.

This issue is a serious security flaw when you do authentication of any type becouse the credentials are send to the internet.

Cheer´s

Hernán Otero
Security Analyst
Received on Thu Jun 27 2002 - 07:20:56 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:51 MST