Vulnerability Development mailing list archives
Re: Squid doesn't quote urls in error messages.
From: Robert Collins <robert.collins () ITDOMAIN COM AU>
Date: Tue, 31 Oct 2000 21:10:11 +1100
In fact someone posted a proof-of-concept (no spaces) 'ploit later that day - and I threw together a patch for squid to html quote the url. The squid dev team is currently cross checking other generated pages (such as gopher-html retrieval) and there will be an official supported patch for all currently supported versions of squid in the near future. Just as a side note: Even though squid is open source and not proprietary, it might have been nice to run this past the squid developers before giving Mr Georgi Guninski and others ideas :-]. There hasn't been a 'formal' security address for squid - but one is being set up to allow quick examination of these issues. Rob NB: I don't speak for the squid in any official sense... I just hack on squid in my spare time. ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () POP JARING MY> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, October 31, 2000 12:34 PM Subject: Re: Squid doesn't quote urls in error messages.
At 12:16 PM 28-10-2000 +1100, Robert Collins wrote:You have to get the browser to send non-escaped URI's for that to work.Some Netscape browsers don't convert spaces to %20. But you don't need to rely on that. All you need to do is find some way of getting the Squid proxy to complain, and then it will send an error page with the url to
you.
For example you could try:
http://nonexistentname.amazon.com/<script>alert(this.document.cookie)</scrip t>
Squid will then give you a "The requested URL could not be retrieved"
page,
and if you have javascript enabled you'll get an alert box.What's the general consensus on this as a risk? Getting the exact
unaltered
url from squid is very useful for troubleshooting problems through squid. And Squid cannot change the url when it receives it - thats against rfcI strongly agree, getting the exact unaltered url from squid can be
useful.
But if I'm getting one, I want an exact unaltered url from squid, not a full fledged autosubmitting form or fancy javascript bird flying around my cursor ;). It's a risk, especially to those who have javascript on. I believe there are already ways to exploit it. Even if there aren't any now, I'm sure Mr Georgi Guninski can come up one or two every couple of weeks ;). Cheerio, Link.
Current thread:
- Re: Squid doesn't quote urls in error messages. Lincoln Yeoh (Oct 31)
- Re: Squid doesn't quote urls in error messages. Robert Collins (Nov 01)
- Re: Squid doesn't quote urls in error messages. Lincoln Yeoh (Nov 02)
- Re: Squid doesn't quote urls in error messages. Robert Collins (Nov 01)