Vigil@nce - Squid: infinite loop via strHdrAcptLangGetItem
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a malformed Accept-Language header, in order
to trigger an infinite loop in Squid, which leads to a denial of
service.
– Impacted products: Squid
– Severity: 2/4
– Creation date: 11/03/2013
DESCRIPTION OF THE VULNERABILITY
The HTTP Accept-Language header indicates the list of languages
expected by the client. For example:
Accept-Language: fr, en
When an error occurs, the strHdrAcptLangGetItem() function of the
src/errorpage.cc file generates an error page. In order to do so,
this function analyzes the Accept-Language header to generate a
message in the client’s language. However, if the list of
languages is composed of a comma alone, this function loops trying
to find the language.
An attacker can therefore use a malformed Accept-Language header,
in order to trigger an infinite loop in Squid, which leads to a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Squid-infinite-loop-via-strHdrAcptLangGetItem-12497