Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29141
HistoryMar 10, 2013 - 12:00 a.m.

Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

2013-03-1000:00:00
vulners.com
20
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2013 01:53 PM, [email protected] wrote:
> ################################################################ #
> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
> ################################################################ #
> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 #
> #######################################
>
> # Versions: 3.2.5, 3.2.7
>
>
> This error is only triggered when squid needs to generate an error
> page (for example backend node is not responding etc…) POC
> (request): – cut – GET http://127.0.0.1:1/foo HTTP/1.1
> Accept-Language: , – cut –
>
> e.g : curl -H "Accept-Language: ," http://localhost:3129/
>
> Code:
>
> strHdrAcptLangGetItem is called with pos equals 0, therefore first
> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
> false, then pos++ is not executed (because hdr[0] is ','). In 335
> line statement in while is also false because hdr[0] = ',', so
> whole loop body is omited. dt = lang, thus after assignment in 353
> line *lang == '\0', so expression in if statement in 357 line is
> false. So next execution of while body (314 line), has got same
> preconditions as previous, thus it's infinite loop.

Was this reported upstream to [email protected]? Has anyone
confirmed this, and if so, does it require a CVE #?

Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
/31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
8E7GKbUGP4HexDIWiA0a
=tSGC
-----END PGP SIGNATURE-----

JSON