Vulnerability Development mailing list archives
Re: Squid doesn't quote urls in error messages.
From: Robert Collins <robert.collins () ITDOMAIN COM AU>
Date: Sat, 28 Oct 2000 12:16:18 +1100
You have to get the browser to send non-escaped URI's for that to work. The client-agent has to escape the URI before sending to the origin server or proxy. Try pasting either of your examples into the address bar in IE and see what actually gets sent to squid - http://www.dotcom.com/%20%3Cb%3Etest%3C/b%3E What's the general consensus on this as a risk? Getting the exact unaltered url from squid is very useful for troubleshooting problems through squid. And Squid cannot change the url when it receives it - thats against rfc 2616. When you say quoting I presume you mean replace , with < etc etc? It should be easy enough to do - theres a single point in the code (see errorpage.c) where the error pages have the troublesome URI returned. Rob ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () POP JARING MY> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Friday, October 27, 2000 8:47 PM Subject: Squid doesn't quote urls in error messages.
Hi, I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages. For example if a user visits the following url http://www.dotcom.com/ <b>test</b> The user will get an invalid url page with test in bold. Or even more fun with: http://www.somecompany.com/<img src="http://www.mysite.com/mylogo.gif"> You can actually get a working form in such an error message! Javascript
too.
So it may be possible to rip out other site's cookies from browsers using this (see DKrypt's and other peoples stuff on it). Also maybe do a fake form/page :). I haven't really tried it myself, and so I can't confirm if it really
works
(that's why it's in VULN-DEV ;) ). Cheerio, Link.
Current thread:
- Possible exploit in FreeBSD 4.0 John Herron (Oct 27)
- Re: Possible exploit in FreeBSD 4.0 Mark (Oct 27)
- Squid doesn't quote urls in error messages. Lincoln Yeoh (Oct 28)
- Re: Squid doesn't quote urls in error messages. Robert Collins (Oct 29)
- Re: Squid doesn't quote urls in error messages. 3APA3A (Oct 29)
- Squid doesn't quote urls in error messages. Lincoln Yeoh (Oct 28)
- Re: Possible exploit in FreeBSD 4.0 The Psychotic Viper (Oct 28)
- Re: Possible exploit in FreeBSD 4.0 Kris Kirby (Oct 30)
- <Possible follow-ups>
- Re: Possible exploit in FreeBSD 4.0 John Herron (Oct 28)
- Re: Possible exploit in FreeBSD 4.0 Mark (Oct 28)
- Re: Possible exploit in FreeBSD 4.0 packetWhore (Oct 29)
- Re: Possible exploit in FreeBSD 4.0 Crist Clark (Oct 29)
- Re: Possible exploit in FreeBSD 4.0 Mark (Oct 28)
- Re: Possible exploit in FreeBSD 4.0 John Herron (Oct 30)
- Re: Possible exploit in FreeBSD 4.0 Mark (Oct 27)