Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.

[Joshua Rogers <megamansec () gmail com>]

Hi all,

I've updated the page with the following IDs which may be used for tracking:

strlen(NULL) Crash Using Digest Authentication
        GHSA-254c-93q9-cp53

Assertion Due to 0 ESI 'when' Checking
        GHSA-4g88-277m-q89r

Assertion Using ESI's When Directive
        GHSA-4g88-277m-q89r

Stack Buffer Overflow in Digest Authentication
        GHSA-phqj-m8gv-cq4g

Buffer Underflow in ESI
        GHSA-wgvf-q977-9xjg

Cheers,
Josh

On Fri, Oct 13, 2023 at 8:23 PM Joshua Rogers <megamansec () gmail com> wrote:

> Hi Amos, oss-security,
>
> I've added GHSA-543m-w2m2-g255 and CVE-2021-46784 for 'Cache Poisoning by
> Large Stored Response Headers (With Bonus XSS)' and 'Assertion in Gopher
> Response Handling' respectively: GHSA-543m-w2m2-g255 and CVE-2021-46784
>
> However, for "Gopher Assertion Crash", GHSA-f5cp-6rh3-284w does not apply.
> "Gopher Assertion Crash" concerns an assertion "assertion failed:
> store.cc:832: "store_status == STORE_PENDING"" while GHSA-f5cp-6rh3-284w
> concerns an assertion: "assertion failed: String.cc:172: "canGrowBy(len)""
>
> To the best of my knowledge the former (without a current GHSA or CVE) is
> unfixed.
>
> Cheers,
> Josh
>
> On Fri, Oct 13, 2023 at 3:54 AM Amos Jeffries <squid3 () treenet co nz>
> wrote:
>
> > Some reference updates.
> >
> >
> > On 11/10/23 20:55, Joshua Rogers wrote:
> > > The issues are listed below. Due to the sheer size of issues discovered,
> > > technical details are not included in this email. However, breakdowns of
> > > the code and proof-of-concepts can be found on GitHub:
> > > https://megamansec.github.io/Squid-Security-Audit/
> >
> > > Cache Poisoning by Large Stored Response Headers (With Bonus XSS)
> >
> >   ... GHSA-543m-w2m2-g255
> >
> > > Gopher Assertion Crash
> >
> >   ... GHSA-f5cp-6rh3-284w
> >
> > > Assertion in Gopher Response Handling
> >
> >   ... CVE-2021-46784 / GHSA-f5cp-6rh3-284w
> >
> >
> >
> > AYJ