Squid proxy string processing Null Pointer Reference Vulnerability

Squid proxy string processing Null Pointer Reference Vulnerability

Release date: 2010-09-03
Updated on: 2010-09-07

Affected Systems:
Squid Web Proxy Cache 3.2
Squid Web Proxy Cache 3.1
Squid Web Proxy Cache 3.0
Unaffected system:
Squid Web Proxy Cache 3.2.0.2
Squid Web Proxy Cache 3.1.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 42982

Squid is an efficient Web Cache and proxy program. It was initially developed for the Unix platform and has been transplanted to Linux and most Unix systems, the latest Squid can run on Windows.

Some Squid internal string processing routines do not properly check the NULL pointer. Remote attackers can cause DoS by sending malicious requests.

<* Source: Phil Oester

Link: http://secunia.com/advisories/41298/
Http://www.squid-cache.org/Advisories/SQUID-2010_3.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

1) set ignore_expect_100 squid. conf to off (default) or delete from squid. conf completely.

2) Compile Squid -- disable-http-violations.

Vendor patch:

Squid
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch
Http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch