New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL #306
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL #306
Conversation
… certificate The error page allows injecting snippets using the distinguished name of untrusted certificates via the %D template parameter. This patch quote information retrieved from remote certificates using the %ssl_subject, %ssl_ca_name and %ssl_cn error details formating codes. Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. This is a Measurement Factory project
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as a workaround
|
@chtsanti, if you have not asked Nikolas for permission to publish his name and company affiliation, please do so. Besides that, this PR is on your side -- as you probably know, it needs PR description fixes and an |
Is this bug specific to intercepting Squids? Squid doing SslBump (a.k.a. SSL inspection)? Any Squid?
Let's be explicit: ERR_SECURE_CONNECT_FAIL. However, this injection is not limited to the default ERR_SECURE_CONNECT_FAIL page. It could happen whenever the admin uses |
Any error page which uses %D and there is a TLS error to be displayed which embeds a value from certificate field(s). Otherwise %D does not expand to anything useful. |
I remove his name for now, I am waiting his response.
OK.
Only in ERR_SECURE_CONNECT_FAIL, only for this error we are completing the ErrorState::detail member which stores the error details. |
|
@chtsanti, I have adjusted the PR title and description based on your last remarks. Before clearing this PR for merge, please check that the updated title/description match reality. |
|
Reformatted the description to fix line lengths making the M-failed-description removal valid. |
|
@chtsanti, FYI: The The only purple |
|
@yadij, FYI: The line length limit is 72, not 65. The reason we keep titles at or below 65 characters is because the PR number gets auto-added to the title during merge commit formation (by GitHub or Anubis). See https://github.com/measurement-factory/anubis#commit-message |
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. This is a Measurement Factory project.
…-cache#306) %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. This is a Measurement Factory project.
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. This is a Measurement Factory project.
…-cache#306) %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. This is a Measurement Factory project.
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. This is a Measurement Factory project.
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped
when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL
template. This bug affects all ERR_SECURE_CONNECT_FAIL page templates
containing %D, including the default template.
Other error pages are not vulnerable because Squid does not populate %D
with certificate details in other contexts (yet).
Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
TODO: If those certificate details become needed for ACL checks or other
non-HTML purposes, make their HTML-escaping conditional.
This is a Measurement Factory project.