CVE-2012-2213

Name of the Vulnerable Software and Affected Versions Squid version 3.1.9

Description The issue allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. Note that this issue might not be reproducible due to the lack of a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was perhaps inadvertently designed to allow access based on a "req header Host" acl regex that matches www.uol.com.br.

Recommendations For Squid version 3.1.9, consider modifying the squid.conf file to restrict access based on the Host HTTP header to prevent bypassing the access configuration for the CONNECT method. As a temporary workaround, restrict the use of the CONNECT method until a proper configuration can be implemented.