A critical security flaw, dubbed ‘Squidbleed,’ has been identified in the Squid Proxy software, exposing sensitive user data for nearly three decades. This vulnerability, present since 1997, allows unauthorized access to HTTP headers, including passwords and API keys, from users sharing the same proxy.
Squid Proxy is a widely used caching and forwarding web proxy that enhances web performance and security by reducing bandwidth usage and improving response times. The newly discovered flaw affects all versions of Squid in their default configurations, posing a significant risk to organizations relying on this software for network management.
Technical Details of Squidbleed
The vulnerability originates from a heap buffer overread in Squid’s FTP directory listing parser. Specifically, the issue arises when Squid processes FTP directory listings that lack a filename following the modification timestamp. In such cases, Squid’s parsing logic fails to handle the absence of a filename correctly, leading to the reading of memory beyond the allocated buffer. This overread can result in the unintended inclusion of data from other users’ HTTP requests in the FTP response, potentially exposing sensitive information such as authorization headers and session tokens.
The flaw was introduced in a code commit dated January 18, 1997, which aimed to accommodate NetWare FTP servers that inserted extra spaces between a file’s modification timestamp and its filename. The parsing logic implemented to handle this scenario inadvertently allowed for the buffer overread when no filename was present.
Exploitation and Mitigation
To exploit this vulnerability, an attacker must control an FTP server accessible by the Squid proxy and craft a directory listing that triggers the overread. The attack is feasible under the following conditions:
- FTP support is enabled in Squid (enabled by default).
- The attacker’s FTP server is reachable on TCP port 21 from the proxy.
- Victim traffic is transmitted over cleartext HTTP or through a TLS-terminating proxy setup.
Security researchers have demonstrated the attack by leaking authorization headers from a login page via a shared Squid proxy. A proof-of-concept exploit has been made publicly available, highlighting the ease with which this vulnerability can be exploited.
To address this issue, a patch has been developed that introduces a null check before each parsing operation to prevent the buffer overread. Administrators are strongly advised to apply this patch promptly. Additionally, disabling FTP support in Squid is recommended unless it is explicitly required, as modern browsers have largely deprecated FTP support.
The discovery of Squidbleed underscores the importance of regular code audits and the need for proactive security measures, even in long-standing and widely used software. Organizations utilizing Squid Proxy should prioritize updating their systems and reviewing their configurations to mitigate potential risks associated with this vulnerability.
