ID CVE-2007-1560
Summary The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
References
Vulnerable Configurations
  • cpe:2.3:a:squid:squid:2.6.stable1
    cpe:2.3:a:squid:squid:2.6.stable1
  • cpe:2.3:a:squid:squid:2.6.stable2
    cpe:2.3:a:squid:squid:2.6.stable2
  • cpe:2.3:a:squid:squid:2.6.stable3
    cpe:2.3:a:squid:squid:2.6.stable3
  • cpe:2.3:a:squid:squid:2.6.stable4
    cpe:2.3:a:squid:squid:2.6.stable4
  • cpe:2.3:a:squid:squid:2.6.stable5
    cpe:2.3:a:squid:squid:2.6.stable5
  • cpe:2.3:a:squid:squid:2.6.stable6
    cpe:2.3:a:squid:squid:2.6.stable6
  • cpe:2.3:a:squid:squid:2.6.stable7
    cpe:2.3:a:squid:squid:2.6.stable7
  • cpe:2.3:a:squid:squid:2.6.stable8
    cpe:2.3:a:squid:squid:2.6.stable8
  • cpe:2.3:a:squid:squid:2.6.stable9
    cpe:2.3:a:squid:squid:2.6.stable9
  • cpe:2.3:a:squid:squid:2.6.stable10
    cpe:2.3:a:squid:squid:2.6.stable10
  • cpe:2.3:a:squid:squid:2.6.stable11
    cpe:2.3:a:squid:squid:2.6.stable11
CVSS
Base: 5.0 (as of 22-03-2007 - 11:09)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C27BC173D7AA11DBB1410016179B2DD5.NASL
    description Squid advisory 2007:1 notes : Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method. Workarounds : To work around the problem deny access to using the TRACE method by inserting the following two lines before your first http_access rule. acl TRACE method TRACE http_access deny TRACE
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24886
    published 2007-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24886
    title FreeBSD : Squid -- TRACE method handling denial of service (c27bc173-d7aa-11db-b141-0016179b2dd5)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-441-1.NASL
    description A flaw was discovered in Squid's handling of the TRACE request method which could lead to a crash. Remote attackers with access to the Squid server could send malicious TRACE requests, and cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28038
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28038
    title Ubuntu 6.10 : squid vulnerability (USN-441-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0131.NASL
    description An updated squid package that fixes a security vulnerability is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way Squid processed the TRACE request method. It was possible for an attacker behind the Squid proxy to issue a malformed TRACE request, crashing the Squid daemon child process. As long as these requests were sent, it would prevent legitimate usage of the proxy server. (CVE-2007-1560) This flaw does not affect the version of Squid shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Users of Squid should upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25323
    published 2007-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25323
    title RHEL 5 : squid (RHSA-2007:0131)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200703-27.NASL
    description The remote host is affected by the vulnerability described in GLSA-200703-27 (Squid: Denial of Service) Squid incorrectly handles TRACE requests that contain a 'Max-Forwards' header field with value '0' in the clientProcessRequest() function. Impact : A remote attacker can send specially crafted TRACE HTTP requests that will terminate the child process. A quickly repeated attack will lead to a Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 24932
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24932
    title GLSA-200703-27 : Squid: Denial of Service
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0131.NASL
    description From Red Hat Security Advisory 2007:0131 : An updated squid package that fixes a security vulnerability is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. A denial of service flaw was found in the way Squid processed the TRACE request method. It was possible for an attacker behind the Squid proxy to issue a malformed TRACE request, crashing the Squid daemon child process. As long as these requests were sent, it would prevent legitimate usage of the proxy server. (CVE-2007-1560) This flaw does not affect the version of Squid shipped in Red Hat Enterprise Linux 2.1, 3, or 4. Users of Squid should upgrade to this updated package, which contains a backported patch and is not vulnerable to this issue.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 67467
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67467
    title Oracle Linux 5 : squid (ELSA-2007-0131)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SQUID-3036.NASL
    description This update fixes a remote denial of service problem in Squid 2.6 (CVE-2007-1560). Other Squid versions are not affected.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27453
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27453
    title openSUSE 10 Security Update : squid (squid-3036)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-068.NASL
    description Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method. This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service. Updated packages have been patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24894
    published 2007-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24894
    title Mandrake Linux Security Advisory : squid (MDKSA-2007:068)
  • NASL family Firewalls
    NASL id SQUID_2612.NASL
    description A vulnerability in TRACE request processing has been reported in Squid, which can be exploited by malicious people to cause a denial of service.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 24873
    published 2007-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24873
    title Squid < 2.6.STABLE12 src/client_side.c clientProcessRequest() function TRACE Request DoS
oval via4
accepted 2013-04-29T04:04:21.456-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
family unix
id oval:org.mitre.oval:def:10291
status accepted
submitted 2010-07-09T03:56:16-04:00
title The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
version 18
redhat via4
advisories
bugzilla
id 233253
title CVE-2007-1560 Squid TRACE DoS
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhsa:tst:20070055001
  • comment squid is earlier than 7:2.6.STABLE6-4.el5
    oval oval:com.redhat.rhsa:tst:20070131002
  • comment squid is signed with Red Hat redhatrelease key
    oval oval:com.redhat.rhsa:tst:20070131003
rhsa
id RHSA-2007:0131
released 2007-04-03
severity Moderate
title RHSA-2007:0131: squid security update (Moderate)
rpms squid-7:2.6.STABLE6-4.el5
refmap via4
bid 23085
confirm
gentoo GLSA-200703-27
mandriva MDKSA-2007:068
sectrack 1017805
secunia
  • 24611
  • 24614
  • 24625
  • 24662
  • 24911
suse SUSE-SR:2007:005
ubuntu USN-441-1
vupen ADV-2007-1035
xf squid-clientprocessrequest-dos(33124)
Last major update 13-07-2011 - 00:00
Published 21-03-2007 - 14:19
Last modified 10-10-2017 - 21:31
Back to Top