CVE-2019-12520

Name of the Vulnerable Software and Affected Versions Squid versions 4.7 and earlier Squid version 5

Description The issue exists due to insufficient input validation in the Squid proxy server. An attacker can exploit this to gain access to features that only reverse proxies can use, such as ESI. When receiving a request, Squid checks its cache by making an MD5 hash of the absolute URL of the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This allows an attacker to provide a username with special characters to delimit the domain and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML.

Recommendations For Squid versions 4.7 and earlier, consider updating to a version that includes the fix for this issue. For Squid version 5, consider updating to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the cache and limiting the use of decoded UserInfo in the absolute URL. At the moment, there is no information about a newer version that contains a fix for this vulnerability.