Re: [squid-users] Re: LDAP authentication with Squid

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 22 Aug 2002 15:17:41 +0200

Gerard Eviston wrote:

> A little off-topic, but I have noticed that clients which have
> previously authenticated with the proxy (for sites other than hotmail in
> this example) will continue to send Proxy-Authorization headers for the
> rest of the session. The documented behaviour of squid is to keep this
> header in-tact if it would not be used. In the example above, and I have
> observed in 2.2S3, this causes user credentials to be revealed to
> upstream proxies - creating a security risk and/or problems for
> non-squid parents which are easily confused. Is it also possible that
> credentials could be revealed to the origin server hotmail.com in the
> example above?

And is why Squid-2.5 only forwards proxy user credentials if configured to do
so per cache_peer.

Note: Squid-2.4.STABLE6 and earlier contains the bug with leaking credentials
to origin servers that you suspect may exists.. see
http://www.squid-cache.org/Versions/v2/2.4/bugs/ and/or
http://www.squid-cache.org/Advisories/SQUID-2002_3.txt for further
information and patch (using 2.4.STABLE7 or later is recommended, no patching
required then).

Regards
Henrik
Received on Thu Aug 22 2002 - 07:17:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:48 MST