FreeBSD : squid -- no sanity check of usernames in squid_ldap_auth (7a921e9e-68b1-11d9-9e1e-c296ac722cb3)

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

The LDAP authentication helper did not strip leading or trailing
spaces from the login name. According to the squid patches page :

LDAP is very forgiving about spaces in search filters and this could
be abused to log in using several variants of the login name, possibly
bypassing explicit access controls or confusing accounting.

Workaround: Block logins with spaces

acl login_with_spaces proxy_auth_regex [:space:] http_access deny
login_with_spaces

See also :

http://www.nessus.org/u?96864d1c
http://bugs.squid-cache.org/show_bug.cgi?id=1187
http://www.nessus.org/u?7ccbea4d

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 18994 (freebsd_pkg_7a921e9e68b111d99e1ec296ac722cb3.nasl)

Bugtraq ID:

CVE ID: CVE-2005-0173

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now