Squid Proxy Authentication Credential Forwarding Information Disclosure Vulnerability

Squid is a freely available, open source web proxy software package. It is designed for use on the Unix and Linux platforms. Squid includes support for proxy authentication.

A vulnerability exists in some versions of the Squid proxy. Under some configurations, the Authorization header may be forwarded to an additional server. This can result in cleartext usernames and passwords being disclosed to the remote server.

Reportedly, this condition may occur when the proxy is configured to require authentication for normal usage, but allows some sites to be visited freely.


Privacy Statement
Copyright 2010, SecurityFocus