It is known that Squid-2.4 and ealier will by design forward
proxy-authentication to other peers if not used locally. But is was
not known that Squid-2.4 is a this keen in forwarding any unused
proxy authentication and forwards it to web servers as well. The code
should read
case HDR_PROXY_AUTHORIZATION:
/* If we're not doing proxy auth, then it must be passed
on */
if (request->flags.proxying &&
!request->flags.used_proxy_auth)
httpHeaderAddEntry(hdr_out, httpHeaderEntryClone(e));
break;
A patch has been produced and can be found at
http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE6-proxy_auth
Note: Squid-2.5 and later is unaffected due to a redesign in how user
proxy credentails are forwarded.
Next time you find a Squid security issue, please use the
squid-bugs@squid-cache.org address.
Regards
Henrik Nordström
On Thursday 27 June 2002 15.19, SQUIDCACHE wrote:
> I saw that in some ACL´s configuration there is a security flaw
> when i do an ACL schema like this
>
>
> ****************************** squid.conf
> *******************************************************************
>******* authenticate_program /usr/local/squid/libexec/squid/smb_auth
> -W YourDomainHere -U YourPDCHere
>
> acl okdomains .cisco.com .sun.com .oracle.com .anydomain.com
>
> acl domainusers proxy_auth REQUIRED
>
> acl prohibitedsites dstdomain .msgr.hotmail.com cs.yahoo.com
>
> http_access deny prohibitedsites
> http_access allow okdomains
> http_access allow domainusers !okdomains
>
>
> ****************************** squid.conf
> *******************************************************************
>*******
>
>
> If first connect to a non "okdomains" the squid-cache will ask for
> authorization, this authorization will remain cached in the browser
> an will be used in the next hit´s then if you try to reach some
> page from the "okdomains" list, the browser, will resend de
> authorization credentials. Remember for the ACL´s schema that the
> "okdomains" do not need authorization so when it reach the http.c
> line 689
>
> ********************************************* http.c
> ***********************************************************
>
> case HDR_PROXY_AUTHORIZATION:
> /* If we're not doing proxy auth, then it must be
> passed on */ if (!request->flags.used_proxy_auth)
> httpHeaderAddEntry(hdr_out,
> httpHeaderEntryClone(e)); break;
> case HDR_AUTHORIZATION:
> /* If we're not doing www auth, then it must be passed
> on */ if (!request->flags.accelerated ||
> !request->flags.used_proxy_auth) httpHeaderAddEntry(hdr_out,
> httpHeaderEntryClone(e)); else
>
> ********************************************* http.c
> ***********************************************************
>
> this domain not need authorization so squid-cache will put the
> authorization in the request.
>
> I suspect that this occur only in a mixed schema with domains that
> need authorization and domains that not need the authorization.
>
> This issue is a serious security flaw when you do authentication of
> any type becouse the credentials are send to the internet.
>
> Cheer´s
>
> Hernán Otero
> Security Analyst
Received on Thu Jun 27 2002 - 18:10:11 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:51 MST