Kristoffer Danielsson

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.9 **Description** The issue exists due to insufficient input validation in the Squid proxy server, allowing a remote attacker to access restricted HTTP servers using a specially crafted HTTP request. When handling a URN request, a corresponding HTTP request is made without going through the access checks that incoming HTTP requests go through, causing all access checks to be bypassed. This allows access to restricted HTTP servers, such as those that only listen on localhost. **Recommendations** For Squid versions prior to 4.9, update to version 4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the URN request handling functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 4.8 **Description** An issue was discovered due to incorrect input validation, resulting in a heap-based buffer overflow that can cause Denial of Service to all clients using the proxy. The severity is high because this issue occurs before normal security checks, allowing any remote client that can reach the proxy port to perform the attack via a crafted URI scheme. **Recommendations** For Squid versions 3.x through 4.8, update to a version later than 4.8 to resolve the issue. As a temporary workaround, consider restricting access to the proxy port to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 4.8 **Description** The issue arises when the `append domain` setting is used, due to improper interaction between appended characters and hostname length restrictions, leading to incorrect message processing. This can cause traffic to be inappropriately redirected to unintended origins. The vulnerability in the `append domain` parameter of the Squid proxy server is related to shortcomings in the mechanisms against cross-site forgery, allowing a remote attacker to access and compromise confidential data. **Recommendations** For Squid versions 3.x through 4.8, consider disabling the `append domain` setting as a temporary workaround until a patch is available. Restrict access to the Squid proxy server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.