CVE-2002-0715
CVSS5.0
发布时间 :2002-07-26 00:00:00
修订时间 :2016-10-17 22:21:45
NMCOS    

[原文]Vulnerability in Squid before 2.4.STABLE6 related to proxy authentication credentials may allow remote web sites to obtain the user's proxy login and password.


[CNNVD]Squid 代理认证证书转发信息泄露漏洞(CNNVD-200207-099)

        与代理认证证书有关的Squid 2.4.STABLE6之前版本存在漏洞。远程web站点可以获得用户的代理登录和密码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0715
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0715
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-099
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-046.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-046.0
http://marc.info/?l=bugtraq&m=102674543407606&w=2
(UNKNOWN)  BUGTRAQ  20020715 TSLSA-2002-0062 - squid
http://rhn.redhat.com/errata/RHSA-2002-051.html
(UNKNOWN)  REDHAT  RHSA-2002:051
http://rhn.redhat.com/errata/RHSA-2002-130.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:130
http://www.iss.net/security_center/static/9478.php
(UNKNOWN)  XF  squid-auth-header-forwarding(9478)
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-044.php
(PATCH)  MANDRAKE  MDKSA-2002:044
http://www.securityfocus.com/bid/5154
(UNKNOWN)  BID  5154
http://www.squid-cache.org/Advisories/SQUID-2002_3.txt
(VENDOR_ADVISORY)  CONFIRM  http://www.squid-cache.org/Advisories/SQUID-2002_3.txt
http://www.squid-cache.org/Versions/v2/2.4/bugs/
(PATCH)  CONFIRM  http://www.squid-cache.org/Versions/v2/2.4/bugs/

- 漏洞信息

Squid 代理认证证书转发信息泄露漏洞
中危 设计错误
2002-07-26 00:00:00 2005-10-20 00:00:00
远程  
        与代理认证证书有关的Squid 2.4.STABLE6之前版本存在漏洞。远程web站点可以获得用户的代理登录和密码。

- 公告与补丁

        FreeBSD has released a Security Notice FreeBSD-SN-02:05. Users of FreeBSD systems are strongly urged to upgrade their ports tree to fix various reported issues. Further information can be found in the referenced Security Notice.
        SCO has released advisory CSSA-2003-SCO.9 to address this issue.
        Updates are available:
        National Science Foundation Squid Web Proxy 2.2
        
        National Science Foundation Squid Web Proxy 2.2 STABLE5
        
        National Science Foundation Squid Web Proxy 2.3 STABLE3
        
        National Science Foundation Squid Web Proxy 2.3 STABLE4
        
        National Science Foundation Squid Web Proxy 2.3
        

- 漏洞信息

5926
Squid Web Proxy Cache Authentication Header Forwarding Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Squid Web Proxy Cache contains a flaw that may lead to an unauthorized information disclosure. The problem is that the Squid proxy authentication header could be forwarded to external web sites, which will disclose the proxy username and password resulting in a loss of confidentiality. No further details have been provided.

- 时间线

2002-07-03 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.4.STABLE7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Squid Proxy Authentication Credential Forwarding Information Disclosure Vulnerability
Design Error 5154
Yes No
2002-07-03 12:00:00 2009-07-11 02:56:00
Vulnerabilities announced in a Squid Security Advisory. Discovery is credited to Hernan Otero.

- 受影响的程序版本

National Science Foundation Squid Web Proxy 2.4 STABLE6
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
National Science Foundation Squid Web Proxy 2.4 STABLE4
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Single Network Firewall 7.2
- Mandriva Linux Mandrake 8.2
- Mandriva Linux Mandrake 8.1 ia64
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
National Science Foundation Squid Web Proxy 2.4 STABLE3
- Conectiva Linux 7.0
National Science Foundation Squid Web Proxy 2.4 STABLE2-3
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
National Science Foundation Squid Web Proxy 2.4 STABLE2-2
+ Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
National Science Foundation Squid Web Proxy 2.4 STABLE2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenServer 5.0.6
- Conectiva Linux 7.0
National Science Foundation Squid Web Proxy 2.4 STABLE1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ HP Secure OS software for Linux 1.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2
- S.u.S.E. Linux 7.2
National Science Foundation Squid Web Proxy 2.4 PRE-STABLE2
National Science Foundation Squid Web Proxy 2.4 PRE-STABLE
National Science Foundation Squid Web Proxy 2.4 DEVEL4
National Science Foundation Squid Web Proxy 2.4 DEVEL2
National Science Foundation Squid Web Proxy 2.4
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
National Science Foundation Squid Web Proxy 2.3 STABLE5
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
National Science Foundation Squid Web Proxy 2.3 STABLE4-11
+ Caldera OpenLinux Server 3.1
- Caldera OpenLinux Workstation 3.1
National Science Foundation Squid Web Proxy 2.3 STABLE4
- Caldera OpenLinux Server 3.1
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Single Network Firewall 7.2
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
- Trustix Secure Linux 1.0 1
National Science Foundation Squid Web Proxy 2.3 STABLE3
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Single Network Firewall 7.2
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- RedHat Linux 7.0
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
- Trustix Secure Linux 1.0 1
National Science Foundation Squid Web Proxy 2.3 STABLE2
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Single Network Firewall 7.2
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
- Trustix Secure Linux 1.0 1
National Science Foundation Squid Web Proxy 2.3
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
+ SCO Open Server 5.0.3
+ SCO Open Server 5.0.2
+ SCO Open Server 5.0.1
+ SCO Open Server 5.0
National Science Foundation Squid Web Proxy 2.2 STABLE5
- S.u.S.E. Linux 7.1 x86
- S.u.S.E. Linux 7.1 sparc
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.3 alpha
- S.u.S.E. Linux 6.3
National Science Foundation Squid Web Proxy 2.2
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
National Science Foundation Squid Web Proxy 2.1
National Science Foundation Squid Web Proxy 2.0
National Science Foundation Squid Web Proxy 2.4 STABLE7

- 不受影响的程序版本

National Science Foundation Squid Web Proxy 2.4 STABLE7

- 漏洞讨论

Squid is a freely available, open source web proxy software package. It is designed for use on the Unix and Linux platforms. Squid includes support for proxy authentication.

A vulnerability exists in some versions of the Squid proxy. Under some configurations, the Authorization header may be forwarded to an additional server. This can result in cleartext usernames and passwords being disclosed to the remote server.

Reportedly, this condition may occur when the proxy is configured to require authentication for normal usage, but allows some sites to be visited freely.

- 漏洞利用

No exploit is required.

- 解决方案

FreeBSD has released a Security Notice FreeBSD-SN-02:05. Users of FreeBSD systems are strongly urged to upgrade their ports tree to fix various reported issues. Further information can be found in the referenced Security Notice.

SCO has released advisory CSSA-2003-SCO.9 to address this issue.

Updates are available:


National Science Foundation Squid Web Proxy 2.2

National Science Foundation Squid Web Proxy 2.2 STABLE5

National Science Foundation Squid Web Proxy 2.3 STABLE3

National Science Foundation Squid Web Proxy 2.3 STABLE4

National Science Foundation Squid Web Proxy 2.3

National Science Foundation Squid Web Proxy 2.3 STABLE5

National Science Foundation Squid Web Proxy 2.3 STABLE2

National Science Foundation Squid Web Proxy 2.3 STABLE4-11

National Science Foundation Squid Web Proxy 2.4 STABLE2-3

National Science Foundation Squid Web Proxy 2.4 STABLE4

National Science Foundation Squid Web Proxy 2.4 STABLE6

National Science Foundation Squid Web Proxy 2.4 STABLE2

National Science Foundation Squid Web Proxy 2.4 PRE-STABLE

National Science Foundation Squid Web Proxy 2.4 STABLE2-2

National Science Foundation Squid Web Proxy 2.4 STABLE3

National Science Foundation Squid Web Proxy 2.4 DEVEL4

National Science Foundation Squid Web Proxy 2.4 DEVEL2

National Science Foundation Squid Web Proxy 2.4

National Science Foundation Squid Web Proxy 2.4 PRE-STABLE2

National Science Foundation Squid Web Proxy 2.4 STABLE1

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站