Allele Security Alert
ASA-2018-00011
Identifier(s)
ASA-2018-00011, SQUID-2018:4, CVE-2018-19131
Title
Cross-Site Scripting issue in TLS error processing
Vendor(s)
The Squid project
Product(s)
Squid
Affected version(s)
Squid 3.1.12.1 -> 3.1.23
Squid 3.2.0.4 -> 3.5.28
Squid 4.0 -> 4.3
Fixed version(s)
Squid 4.4
Proof of concept
Unknown
Description
Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors.
Several fields of X.509 certificates can contain HTML syntax and were not being correctly quoted/encoded before inserting into HTML error pages generated by the proxy. This issue allows an attacker to craft a X.509 certificate that both triggers an error and alters how that error is displayed by a client such as a browser.
Technical details
Unknown
Credits
Nikolas Lohmann (eBlocker GmbH) and Christos Tsantilas (Measurement Factory)
Reference(s)
Squid Proxy Cache Security Update Advisory SQUID-2018:4
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
Squid Proxy multiple vulnerabilities
https://seclists.org/oss-sec/2018/q4/101
CVE-2018-19131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19131
CVE-2018-19131
https://nvd.nist.gov/vuln/detail/CVE-2018-19131
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019