Squid cross-site scripting (Fw: Squid doesn't quote urls in error messages.)

["TAKAGI, Hiromitsu" <takagi () etl go jp>]

The following problem is not registered on the vulnerabilities database.
http://www.securityfocus.com/vdb/middle.html?vendor=&title=Squid%20Web%20Proxy&version=any
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=squid

Related messages:
http://www.squid-cache.org/mail-archive/squid-dev/200010/0361.html
http://www.squid-cache.org/mail-archive/squid-dev/200011/0051.html
http://www.securityfocus.com/archive/82/142120

Fix:
http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.DEVEL4-2.4.PRE-STABLE.gz
http://www.squid-cache.org/Versions/v2/2.3/diff-2.3.STABLE4-2.3.STABLE5.gz

--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://www.etl.go.jp/~takagi/

Forwarded by "TAKAGI, Hiromitsu" <takagi () etl go jp>
----------------------- Original Message -----------------------
 From:    Lincoln Yeoh <lyeoh () POP JARING MY>
 To:      VULN-DEV () SECURITYFOCUS COM
 Date:    Fri, 27 Oct 2000 17:47:00 +0800
 Subject: Squid doesn't quote urls in error messages.
----

Hi,

I noticed that Squid 2.3.STABLE4 doesn't quote urls in error messages.

For example if a user visits the following url

http://www.dotcom.com/ <b>test</b>

The user will get an invalid url page with test in bold.

Or even more fun with:
http://www.somecompany.com/<img src="http://www.mysite.com/mylogo.gif";>

You can actually get a working form in such an error message! Javascript too.

So it may be possible to rip out other site's cookies from browsers using
this (see DKrypt's and other peoples stuff on it).

Also maybe do a fake form/page :).

I haven't really tried it myself, and so I can't confirm if it really works
(that's why it's in VULN-DEV ;) ).

Cheerio,
Link.
--------------------- Original Message Ends --------------------