Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug 4957: Multiple XSS issues in cachemgr.cgi #429

Closed
wants to merge 1 commit into from

Conversation

yadij
Copy link
Contributor

@yadij yadij commented Jul 5, 2019

The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.

@yadij yadij added the S-waiting-for-more-reviewers needs a reviewer and/or a second opinion label Jul 5, 2019
Copy link
Contributor

@rousskov rousskov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not see problems with the proposed changes so I am approving this PR.

FWIW, I think that all this poorly written CGI code should be completely removed from Squid. If somebody wants to maintain it outside of Squid, they sure can, but the Squid Project has insufficient resources to do web UIs right (including doing them safely).

@rousskov rousskov added S-waiting-for-committer privileged action is expected (and usually required) and removed S-waiting-for-more-reviewers needs a reviewer and/or a second opinion labels Jul 5, 2019
@kinkie
Copy link
Contributor

kinkie commented Jul 5, 2019 via email

@rousskov
Copy link
Contributor

rousskov commented Jul 5, 2019

There i an experimental branch, provably out of date, meaning to reimplement this in javascript

As far as the Squid Project goes, I am pretty sure that this functionality should be removed rather than re-implemented (in any language). As for some hypothetical external re-implementation, a Javascript/HTML5 client does indeed sound like a giant step forward (and away from a server-side CGI).

@yadij yadij added M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels and removed S-waiting-for-committer privileged action is expected (and usually required) labels Jul 6, 2019
squid-anubis pushed a commit that referenced this pull request Jul 7, 2019
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
@squid-anubis squid-anubis added the M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels label Jul 7, 2019
@squid-anubis squid-anubis added M-merged https://github.com/measurement-factory/anubis#pull-request-labels and removed M-cleared-for-merge https://github.com/measurement-factory/anubis#pull-request-labels M-waiting-staging-checks https://github.com/measurement-factory/anubis#pull-request-labels labels Jul 7, 2019
squidadm pushed a commit to squidadm/squid that referenced this pull request Jul 7, 2019
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
yadij added a commit that referenced this pull request Jul 8, 2019
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
squidadm pushed a commit to squidadm/squid that referenced this pull request Jul 9, 2019
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
yadij added a commit that referenced this pull request Jul 9, 2019
The cachemgr.cgi web module of the squid proxy is vulnerable
to XSS issue. The vulnerable parameters "user_name" and "auth"
have insufficient sanitization in place.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
M-merged https://github.com/measurement-factory/anubis#pull-request-labels
Projects
None yet
4 participants