The cachemgr.cgi web module of Squid is vulnerable to cross-site scripting via the user_name or auth parameter (CVE-2019-13345)

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages

A cross-site scripting vulnerability exists in Squid due to improper sanitation of the user_name and auth parameters within cachemgr.cgi. A remote, unauthenticated attacker could exploit this vulnerability by enticing a user to open a crafted link or a web page. Successful exploitation could result in execution of arbitrary script code under the security context of the target user’s browser.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Reflected attacks are those where the injected script is reflected off the web server as in the case of Squid cachemgr.cgi

The request

Is reflected back

For understanding purposes here the script uses just an alert (‘XSS’) but in real life the attacker can use malicious scripts that can access any cookies, session tokens, or other sensitive information .The victim’s browser thinks the script came from a trusted source and will execute the script.

Analyzing the patch for the vulnerability, we see that the user_name input is not sanitized before being used.

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures:

IPS 1369 : Cross-Site Scripting (XSS) Attack 1

IPS 4349 : Cross-Site Scripting (XSS) Attack 43

IPS 14308 : Cross-Site Scripting (XSS) Attack 60

IPS 14309 : Cross-Site Scripting (XSS) Attack 61

WAF 9008: Cross-site Scripting (XSS) Attack

Threat graph: