Squid Set-Cookie Header Cross-session Information Disclosure

medium Nessus Plugin ID 19237

Synopsis

The remote proxy server is affected by an information disclosure issue.

Description

The remote Squid caching proxy, according to its banner, is prone to an information disclosure vulnerability. Due to a race condition, Set-Cookie headers may leak to other users if the requested server employs the deprecated Netscape Set-Cookie specifications with regards to how cacheable content is handled.

Solution

Apply the patch referenced in the vendor URL above or upgrade to version 2.5 STABLE10 or later.

See Also

http://www.nessus.org/u?4e1802e8

Plugin Details

Severity: Medium

ID: 19237

File Name: squid_set_cookie_headers.nasl

Version: 1.20

Type: remote

Family: Firewalls

Published: 7/20/2005

Updated: 7/30/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:squid-cache:squid

Required KB Items: Settings/ParanoidReport, www/squid

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/3/2005

Reference Information

CVE: CVE-2005-0626

BID: 12716