Squid Information Disclosure Vulnerability Prior to Version 7.2

A vulnerability in Squid, a web caching proxy, allows for information disclosure by failing to properly redact HTTP authentication credentials in error handling. This issue is present in Squid versions prior to 7.2. The vulnerability enables a script to bypass browser security and access the authentication credentials of a trusted client. As a result, a remote client could potentially exploit this to identify security tokens or credentials used internally by a web application that relies on Squid for backend load balancing. Notably, this vulnerability does not require Squid to be configured with HTTP authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized access to HTTP authentication credentials, allowing remote clients to identify internal security tokens or credentials used by web applications via Squid.

Reproduction

To reproduce this vulnerability, configure Squid with the 'email_err_data' directive set to 'on'. This will enable the inclusion of sensitive request headers in error-related 'mailto' links, which can be exploited to disclose authentication credentials. After triggering an error that generates such a link, the unredacted authentication data can be extracted, demonstrating the information disclosure flaw.

Remediation

Upgrade to Squid version 7.2 or later. If using a prepackaged version of Squid, check with the package vendor for availability of updated packages. For those who compile Squid from source, the latest version can be obtained from the official Squid website.