Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 228593 - net-proxy/squidguard <1.3-r1 "Trailing dot" domain access restriction bypass (SG-2008-06-13)
Summary: net-proxy/squidguard <1.3-r1 "Trailing dot" domain access restriction bypass ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.squidguard.org/Doc/sg-2008...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-20 16:58 UTC by Yar Odin
Modified: 2008-06-24 15:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yar Odin 2008-06-20 16:58:53 UTC 
By adding a trailing dot to the domain it is possible to bypass the filter and access blocked sites.

This only affects people using squidGuard with squid version 3.0 STABLE1 to STABLE5 (higher version may be affected as well; in any case, if you are running squid 3.0 make sure to patch). Squid version 2.6 is known to remove trailing dots from domains before passing the URLs to squidGuard. 

Affected versions: 1.3, 1.2.1 and below
Corrected in version 1.4 alpha (and higher) 

Reproducible: Always




http://www.squidguard.org/Downloads/Patches/1.3/squidGuard-1.3-patch-20080613.tar.gz 
(MD5: fb0a12bf289b73ed6ecf5ff4ad971648) 

http://www.squidguard.org/Downloads/Patches/1.2.1/squidGuard-1.2.1-patch-20080613.tar.gz 
(MD5: ab33fb4f7381e5b30543f7f79a3d4345)
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2008-06-20 22:06:14 UTC 
Fixed in net-proxy/squidguard-1.3-r1. Arch teams, please mark this version as stable.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-06-21 02:26:06 UTC 
Providing a new version of the file is a really weird way to patch.... Anyway, adding release@
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-21 08:19:25 UTC 
x86 stable
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2008-06-21 20:22:23 UTC 
ppc64 stable
Comment 5 Markus Meier gentoo-dev 2008-06-22 11:36:01 UTC 
amd64 stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-23 19:44:07 UTC 
ppc stable
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-06-24 01:07:04 UTC 
I vote NO for this since the initial comment #0 stated only squid 3.0 and higher is affected, and that is ~arch for us.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-24 15:02:35 UTC 
no too, closing