发布时间 :1999-12-31 00:00:00
修订时间 :2017-10-09 21:29:06

[原文]Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair.

[CNNVD]Squid C91访问控制漏洞(CNNVD-199912-132)

        Squid 2.2.STABLE5及以下版本存在访问控制漏洞。攻击者可以在应用外部认证时通过一个在用户/密码对中的换行符绕过访问控制。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  19991025 [squid] exploit for external authentication problem
(UNKNOWN)  XF  squid-proxy-auth-access(3433)

- 漏洞信息

Squid C91访问控制漏洞
中危 未知
1999-12-31 00:00:00 2005-05-02 00:00:00
        Squid 2.2.STABLE5及以下版本存在访问控制漏洞。攻击者可以在应用外部认证时通过一个在用户/密码对中的换行符绕过访问控制。

- 公告与补丁


- 漏洞信息 (19567)

National Science Foundation Squid Web Proxy 1.0/1.1/2.1 Authentication Failure (EDBID:19567)
linux remote
1999-10-25 Verified
0 Oezguer Kesim
N/A [点击下载]

There is a vulnerability present in certain versions of the Squid Web Proxy Cache developed by the National Science Foundation. This problem is only in effect when users of the cache are using an external authenticator.

The following is quoted from the original Bugtraq posting on this issue. This message in its entirety is available in the 'Credits' section of this vulnerability.

"After decoding the base64 encoded "user:password" pair given by the client, squid doesn't strip out any '\n' or '\r' found in the resulting string. Given such a string, any external authenticator will receive two lines instead of one, and most probably send two results. Now, any subsequent authentication exchange will has its answer shifted by one. Therefore, a malicious user can gain access to sites he or she should not have access to." 


1.) You use plain squid-2.2-STABLE5 or below. Also, external authentication is active using a some external authentication program, which basically follows the implementation guidelines given on the squid-webpages.

2.) Your ACL's for external authentication apply often enough so that external authentication actually happens maybe every 20 seconds to 20 minutes. This also depends on your password-cache settings.

3.) In general, users enter correct user:password pairs.

4.) No other user has sent a user:passwd pair with a newline at the end to the proxy until now (so we can actually describe the effect when it occurs the first time).

The exploit:

1.) Create a base64-encoded "user:passwd\n" string, f.e.:
# echo "foo:bar" | mimencode
# Zm9vOmJhcgo=

Note that
# echo -n "foo:bar" | mimencode
(notice the -n option!) will strip the trailing newline and can't be used.

The newline at the end is essential for the exploit, since most external authenticators will read _two_ lines from the proxy and sent _two_ results back to the proxy, shifting all subsequent responses to authentication request by one.

2.) telnet to your proxy and sent a valid but not authorized request (lines marked with a * are your input lines):

# telnet proxy 8080
Connected to
Escape character is '^]'
* GET HTTP/1.0
* Proxy-Authorization: Basic Zm9vOmJhcgo=
Please notice the last extra newline needed for the Protocol (it has nothing to do with the exploit, though).

An ACL must match the given domain (here,, which uses the external authentication program.

3.) You will see the response for you user:passwd pair and due to assumption this answer is accurate.

Now, wait. Once a different user sents his user:password pair -- which in turn is correct in general as stated in assumption 3.) -- he will get the authentication response of _your_ empty line and most probably will be a HTTP/1.0 407 Proxy Authentication Required answer, but then, the user will try again and... get the _correct_ answer of his or her _first_ try.

Now, the second answer (which most probably will be OK) is pending!

4.) Try to connect again with another fake user:password (without extra newline), most likely using your favorite browser. Now you should profit from the pending OK in step 3 and get the page you want.

Thats it. Please notice, that when caching is active, you can surf as long the name:password pair is available in the cache -- which can be quite long.

- 漏洞信息

Squid Web Proxy Newline Cross-User Authentication Bypass
Remote / Network Access Authentication Management, Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-10-25 Unknow
1999-10-25 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete