Denial of Service : Squid External Auth Header Parser DOS Vulnerabilities

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.101105

Category: Denial of Service

Title: Squid External Auth Header Parser DOS Vulnerabilities

Summary: Check for the version of Squid

Description:

Overview: This host is running Squid and is prone to Denial Of
Service vulnerabilities.

Vulnerability Insight:
The flaw is due to error in 'strListGetItem()' function within
'src/HttpHeaderTools.c'.

Impact:
Successful exploitation could allow remote attackers to cause a denial of service
via a crafted auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function.

Affected Software/OS:
Squid Version 2.7.X

Fix: Upgrade to Squid Version 3.1.4 or later,
For further updates refer, http://www.squid-cache.org/Download/

References:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
http://www.openwall.com/lists/oss-security/2009/08/03/3
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-2855
http://www.openwall.com/lists/oss-security/2009/07/20/10
http://www.openwall.com/lists/oss-security/2009/08/03/3
http://www.openwall.com/lists/oss-security/2009/08/04/6
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982
http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
BugTraq ID: 36091
http://www.securityfocus.com/bid/36091
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10592
http://www.securitytracker.com/id?1022757
XForce ISS Database: squid-strlistgetitem-dos(52610)
http://xforce.iss.net/xforce/xfdb/52610

Copyright Copyright (C) 2009 SecPod

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.101105
Category:	Denial of Service
Title:	Squid External Auth Header Parser DOS Vulnerabilities
Summary:	Check for the version of Squid
Description:	Overview: This host is running Squid and is prone to Denial Of Service vulnerabilities. Vulnerability Insight: The flaw is due to error in 'strListGetItem()' function within 'src/HttpHeaderTools.c'. Impact: Successful exploitation could allow remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. Affected Software/OS: Squid Version 2.7.X Fix: Upgrade to Squid Version 3.1.4 or later, For further updates refer, http://www.squid-cache.org/Download/ References: http://www.squid-cache.org/bugs/show_bug.cgi?id=2704 http://www.openwall.com/lists/oss-security/2009/08/03/3 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2855 http://www.openwall.com/lists/oss-security/2009/07/20/10 http://www.openwall.com/lists/oss-security/2009/08/03/3 http://www.openwall.com/lists/oss-security/2009/08/04/6 http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982 http://www.squid-cache.org/bugs/show_bug.cgi?id=2704 BugTraq ID: 36091 http://www.securityfocus.com/bid/36091 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10592 http://www.securitytracker.com/id?1022757 XForce ISS Database: squid-strlistgetitem-dos(52610) http://xforce.iss.net/xforce/xfdb/52610
Copyright	Copyright (C) 2009 SecPod