SB2019071130 - Cross-site scripting in squid (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2019-13345)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the  the "user_name" and "auth" parameters to the cachemgr.cgi web module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Example:

http://[host]/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=admin&operation=authenticate&auth=bG9jYWxob3N0fDE1NTg5NTYzNzJ8YWRtIj48c2NyaXB0PmFsZXJ0KCdYU1MnKTwvc2NyaXB0PmlufGRzZGFkYWE=

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=225360732093a00d6a58a6e626b26e6794a4739c
• https://git.alpinelinux.org/aports/commit/?id=a2e4a10786598b2f40879a608a3090b4f1242065
• https://git.alpinelinux.org/aports/commit/?id=e669c04c87f3b6f9826273154aebe26e89d75dc8
• https://git.alpinelinux.org/aports/commit/?id=d53ed0c4c1d95491577c154f337313ee72703ef8
• https://git.alpinelinux.org/aports/commit/?id=0a4f1520352ff66f50aebb2110bea65b3ee17f90
• https://git.alpinelinux.org/aports/commit/?id=61747ef7247b4805f9881eedd113c538e156376d
• https://git.alpinelinux.org/aports/commit/?id=1bd365a6732f045db6dd96f516dec5764f0c8c57
• https://git.alpinelinux.org/aports/commit/?id=48e59c02864ce11fac3e2ff3529f2e1f5d1b7f1e
• https://git.alpinelinux.org/aports/commit/?id=a93510d1c69bc8f6e6fd0e2781ffcad140585f08