English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA36378

Squid "strListGetItem()" Denial of Service Vulnerability


Secunia ID

SA36378
CVE-ID

CVE-2009-2855
Release Date

20 Aug 2009
Criticality

Less Critical
Solution Status

Unpatched
Software

Squid 2.x
Where

From remote
Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.
Description

A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "strListGetItem()" function when parsing external authentication headers. This can be exploited to trigger the execution of an infinite loop via a header containing ',' characters.

Successful exploitation requires that an "external_acl_type" configuration option defining a delimiter different from ',' is present.

The vulnerability is reported in version 2.7.STABLE3. Other versions may also be affected.
Solution

Restrict access to trusted users only.
Reported by

Matt Benjamin
Original Advisory

http://www.squid-cache.org/bugs/show_bug.cgi?id=2541

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search