FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squid -- possible cache-poisoning via malformed HTTP responses

Affected packages
squid < 2.5.7_9

Details

VuXML ID b4d94fa0-6e38-11d9-9e1e-c296ac722cb3
Discovery 2005-01-24
Entry 2005-01-24
Modified 2006-01-02

The squid patches page notes:

This patch makes Squid considerably stricter while parsing the HTTP protocol.

  1. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to be poisoned with bad content in certain situations.
  2. CR characters is only allowed as part of the CR NL line terminator, not alone. This to ensure that all involved agrees on the structure of HTTP headers.
  3. Rejects requests/responses that have whitespace in an HTTP header name.
[source]

To enable these strict parsing rules, update to at least squid-2.5.7_9 and specify relaxed_header_parser off in squid.conf.

References

CERT/CC Vulnerability Note 768702
CVE Name CVE-2005-0174
URL http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.