[squid-users] Arbitrary HTML code

From: Henrik Larsson (GIS) <Henrik.Larsson@dont-contact.us>
Date: Wed, 17 Oct 2001 10:59:53 +0200

Hello,

Is this something I should worry about? I'm running squid2.3STABLE4 under RH6.1. Should I apply a patch for this?

A security vulnerability in the product allows attackers to
insert arbitrary HTML code into the response sent back the
user. This would allow an attacker to send back JavaScript,
HTML Redirectors, etc.

Details
Vulnerable systems:
Squid version 2.3.STABLE4 and prior
Squid version 2.4.DEVEL4 and prior

Squid does not properly ensure that the text sent back
to the user is properly encoded as HTML. This enables a
malicious user to insert script code or other HTML tags, and
exploit the web browser of any user visiting their page.

Example:
Accessing the following URL:
http://www.example.com/<b>test</b>
        
Will cause the user to get an invalid URL page with
test in bold.

/henrik
Received on Wed Oct 17 2001 - 03:00:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:47 MST