漏洞类别:Proxy
漏洞等级: 
漏洞信息
Squid Proxy is a freely available open source Web proxy software package. It is designed for use on Unix,Linux and Windows platforms.
Squid configured with cache_peer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses.
Affected Software:
Squid 0.x to Squid 3.5.5
QID Detection Logic (Unauthenticated):
This unauthenticated detection works by reviewing the version of the Squid Proxy service.
漏洞危害
Allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
解决方案
The vendor has released updates to resolve this issue.
Refer to vendor advisory SQUID-2015:2 to obtain more details and patch information.
Workaround:
For Squid-3.0 and older ensure squid.conf contains "nonhierarchical_direct on".
For Squid-3.1 and newer remove nonhierarchical_direct from squid.conf.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论