Re: Squid doesn't quote urls in error messages.

[Robert Collins <robert.collins () ITDOMAIN COM AU>]

You have to get the browser to send non-escaped URI's for that to work.

The client-agent has to escape the URI before sending to the origin server
or proxy. Try pasting either of your examples into the address bar in IE and
see what actually gets sent to squid -

http://www.dotcom.com/%20%3Cb%3Etest%3C/b%3E

What's the general consensus on this as a risk? Getting the exact unaltered
url from squid is very useful for troubleshooting problems through squid.
And Squid cannot change the url when it receives it - thats against rfc
2616. When you say quoting I presume you mean replace , with < etc etc?
It should be easy enough to do - theres a single point in the code (see
errorpage.c) where the error pages have the troublesome URI returned.

Rob

----- Original Message -----
From: "Lincoln Yeoh" <lyeoh () POP JARING MY>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, October 27, 2000 8:47 PM
Subject: Squid doesn't quote urls in error messages.


> Hi,
>
> I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages.
>
> For example if a user visits the following url
>
> http://www.dotcom.com/ <b>test</b>
>
> The user will get an invalid url page with test in bold.
>
> Or even more fun with:
> http://www.somecompany.com/<img src="http://www.mysite.com/mylogo.gif";>
>
> You can actually get a working form in such an error message! Javascript
too.
> So it may be possible to rip out other site's cookies from browsers using
> this (see DKrypt's and other peoples stuff on it).
>
> Also maybe do a fake form/page :).
>
> I haven't really tried it myself, and so I can't confirm if it really
works
> (that's why it's in VULN-DEV ;) ).
>
> Cheerio,
> Link.