Squid Proxy FTP URI Remote Denial of Service Vulnerability

Bugtraq ID:	22079
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-0247
Remote:	Yes
Local:	No
Published:	Jan 16 2007 12:00AM
Updated:	Mar 19 2015 09:22AM
Credit:	David Duncan Ross Palmer <[email protected]> reported this issue to the vendor.
Vulnerable:	Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Operating System Enterprise Server 2.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux 9.3 Squid Web Proxy Cache 2.6.STABLE6 Squid Web Proxy Cache 2.6.STABLE5 Squid Web Proxy Cache 2.6.STABLE4 Squid Web Proxy Cache 2.6.STABLE3 Squid Web Proxy Cache 2.6.STABLE2 Squid Web Proxy Cache 2.6.STABLE1 Squid Web Proxy Cache 2.5.STABLE14 Squid Web Proxy Cache 2.5.STABLE13 Squid Web Proxy Cache 2.5.STABLE12 Squid Web Proxy Cache 2.5.STABLE11 S.u.S.E. Linux 10.1 S.u.S.E. Linux 10.0 Red Hat Fedora Core5 Novell Open Enterprise Server (OES) 0 Novell Linux Desktop 9 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux
Not Vulnerable:	Squid Web Proxy Cache 2.6.STABLE7

Squid Proxy FTP URI Remote Denial of Service Vulnerability

Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to handle certain FTP requests.

Successfully exploiting this issue allows remote attackers to crash affected proxy applications, denying futher service to legitimate users.

Squid versions from 2.5.STABLE11 to 2.6.STABLE6 are vulnerable to this issue.

Squid Proxy FTP URI Remote Denial of Service Vulnerability

Attackers may exploit this issue using a web browser.

An example request URI sufficient to trigger this issue is available:

ftp://www.example.com/sample/directory;type=d

Squid Proxy FTP URI Remote Denial of Service Vulnerability

Solution:
The vendor has released Squid version 2.6.STABLE7 to address this issue. Please see the references for more information.


Squid Web Proxy Cache 2.6.STABLE4

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE12

• RedHat squid-2.5.STABLE14-3.FC5.i386.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-2.5.STABLE14-3.FC5.ppc.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-2.5.STABLE14-3.FC5.src.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-2.5.STABLE14-3.FC5.x86_64.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-debuginfo-2.5.STABLE14-3.FC5.i386.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-debuginfo-2.5.STABLE14-3.FC5.ppc.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• RedHat squid-debuginfo-2.5.STABLE14-3.FC5.x86_64.rpm
  Fedora Core 5
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/


• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE3

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE2

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE6

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE5

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE11

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE13

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE1

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE14

• Squid squid-2.6.STABLE7.tar.bz2
  http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Proxy FTP URI Remote Denial of Service Vulnerability

References:

• Bugzilla Bug 1857 (Squid)
  
• Key changes squid-2.6.STABLE6 to 2.6.STABLE7 (Squid)
  
• Squid Web Proxy Cache Homepage (Squid)