Gentoo Bug 228593 - net-proxy/squidguard <1.3-r1 "Trailing dot" domain access restriction bypass (SG-2008-06-13)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	228593
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Yar Odin <yarodin@gmail.com>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 228593 depends on:			Show dependency tree
Bug 228593 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-06-20 16:58 0000

By adding a trailing dot to the domain it is possible to bypass the filter and
access blocked sites.

This only affects people using squidGuard with squid version 3.0 STABLE1 to
STABLE5 (higher version may be affected as well; in any case, if you are
running squid 3.0 make sure to patch). Squid version 2.6 is known to remove
trailing dots from domains before passing the URLs to squidGuard. 

Affected versions: 1.3, 1.2.1 and below
Corrected in version 1.4 alpha (and higher) 

Reproducible: Always




http://www.squidguard.org/Downloads/Patches/1.3/squidGuard-1.3-patch-20080613.tar.gz 
(MD5: fb0a12bf289b73ed6ecf5ff4ad971648) 

http://www.squidguard.org/Downloads/Patches/1.2.1/squidGuard-1.2.1-patch-20080613.tar.gz 
(MD5: ab33fb4f7381e5b30543f7f79a3d4345)

------- Comment #1 From Alin Năstac 2008-06-20 22:06:14 0000 -------

Fixed in net-proxy/squidguard-1.3-r1. Arch teams, please mark this version as
stable.

------- Comment #2 From Robert Buchholz 2008-06-21 02:26:06 0000 -------

Providing a new version of the file is a really weird way to patch.... Anyway,
adding release@

------- Comment #3 From Christian Faulhammer 2008-06-21 08:19:25 0000 -------

x86 stable

------- Comment #4 From Markus Rothe 2008-06-21 20:22:23 0000 -------

ppc64 stable

------- Comment #5 From Markus Meier 2008-06-22 11:36:01 0000 -------

amd64 stable

------- Comment #6 From Tobias Scherbaum 2008-06-23 19:44:07 0000 -------

ppc stable

------- Comment #7 From Robert Buchholz 2008-06-24 01:07:04 0000 -------

I vote NO for this since the initial comment #0 stated only squid 3.0 and
higher is affected, and that is ~arch for us.

------- Comment #8 From Pierre-Yves Rofes 2008-06-24 15:02:35 0000 -------

no too, closing

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 228593

net-proxy/squidguard <1.3-r1 "Trailing dot" domain access restriction bypass (SG-2008-06-13)

Last modified: 2008-06-24 15:02:35 0000