Allele Security Alert
ASA-2018-00011, SQUID-2018:4, CVE-2018-19131
Cross-Site Scripting issue in TLS error processing
The Squid project
Squid 18.104.22.168 -> 3.1.23
Squid 22.214.171.124 -> 3.5.28
Squid 4.0 -> 4.3
Proof of concept
Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors.
Several fields of X.509 certificates can contain HTML syntax and were not being correctly quoted/encoded before inserting into HTML error pages generated by the proxy. This issue allows an attacker to craft a X.509 certificate that both triggers an error and alters how that error is displayed by a client such as a browser.
Nikolas Lohmann (eBlocker GmbH) and Christos Tsantilas (Measurement Factory)
Squid Proxy Cache Security Update Advisory SQUID-2018:4
Squid Proxy multiple vulnerabilities
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019