-
Notifications
You must be signed in to change notification settings - Fork 554
Bug 4957: Multiple XSS issues in cachemgr.cgi #429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not see problems with the proposed changes so I am approving this PR.
FWIW, I think that all this poorly written CGI code should be completely removed from Squid. If somebody wants to maintain it outside of Squid, they sure can, but the Squid Project has insufficient resources to do web UIs right (including doing them safely).
|
There i an experimental branch, provably out of date, meaning to
reimplement this in javascript
On Fri, 5 Jul 2019 at 18:51, Alex Rousskov ***@***.***> wrote:
***@***.**** approved this pull request.
I do not see problems with the proposed changes so I am approving this PR.
FWIW, I think that all this poorly written CGI code should be completely
removed from Squid. If somebody wants to maintain it outside of Squid, they
sure can, but the Squid Project has insufficient resources to do web UIs
right (including doing them safely).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#429?email_source=notifications&email_token=ABHPVDEMT7SD5KTNFDJC2CLP5532BA5CNFSM4H6EXIQ2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB5UDHPY#pullrequestreview-258487231>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABHPVDCVMCIAQX3I2T7SSITP5532BANCNFSM4H6EXIQQ>
.
--
@mobile
|
As far as the Squid Project goes, I am pretty sure that this functionality should be removed rather than re-implemented (in any language). As for some hypothetical external re-implementation, a Javascript/HTML5 client does indeed sound like a giant step forward (and away from a server-side CGI). |
The cachemgr.cgi web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.
The cachemgr.cgi web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.
The cachemgr.cgi web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.
The cachemgr.cgi web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.
The cachemgr.cgi web module of the squid proxy is vulnerable to XSS issue. The vulnerable parameters "user_name" and "auth" have insufficient sanitization in place.
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.