Squid HTCP Runtime Configuration Vulnerability

Squid includes option support for the Hyper Text Caching Protocol (HTCP). Although this support is not enabled in most default configurations, support may be enabled if Squid is compiled with the '--enable-htcp' option. HTCP is covered in rfc 2756, and is intended to provide support for cache management and efficiency.

The Squid documentation states that HTCP support may be enabled and disabled through settings in the Squid configuration file. However, HTCP is always enabled when it is compiled into Squid. As a result, vulnerable servers are unable to restrict access to this functionality through run time configuration options.


 

Privacy Statement
Copyright 2010, SecurityFocus