[squid] external authentication security issue

[oec () CODEBLAU DE (Oezguer Kesim)]

Holla,

two weeks ago I found a security bug in squid, a web proxy cache, freely
available at http://squid.nlanr.net/

Here you find the short Buglog-entry as shown at
        http://squid.nlanr.net/Versions/v2/2.2/bugs/

Please note that the bug applies whenever a external authenticator is used.

cheers,
  Oezguer Kesim
  oec () codeblau de

Newlines in passwords confuses the authenticator program
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Platforms       All

Versions        2.2.STABLE5 and earlier

Synopsis        After decoding the base64 encoded "user:password" pair
                given by the client, squid doesn't strip out any '\n' or
                '\r' found in the resulting string. Given such a string,
                any external authenticator will receive two lines instead
                of one, and most probably send two results. Now, any
                subsequent authentification exchange will has its answer
                shifted by one.  Therefore, a malicious user can gain
                access to sites he or she should not have access to.

Reported by     Oezguer Kesim (oec () codeblau de)

Patch           http://squid.nlanr.net/Versions/v2/2.2/bugs/
                        squid-2.2.stable5-newlines_in_auth.patch

Status          Fixed in 2.3 branch.