Ethical Hacking News
A critical vulnerability has been discovered in the widely used Squid web proxy software, which allows an attacker with access to the same proxy server as the intended victim to steal sensitive information from that user's HTTP requests. Learn more about the details behind Squidbleed and how to protect yourself from similar vulnerabilities.
Squid, a widely used web proxy software, has been found vulnerable to a critical security flaw known as Squidbleed.The vulnerability allows an attacker with access to the same proxy server as the intended victim to steal sensitive information from that user's HTTP requests.The vulnerability is attributed to a 1997 FTP-parsing change in Squid's codebase, which created a buffer overflow in the FTP directory-listing parser.Disabling FTP on Squid instances unless necessary can eliminate the attack surface for free, regardless of the version of Squid being used.Patching the vulnerable code by adding a null-terminator check is another option to address the issue.The risk associated with Squidbleed is considered moderate due to low privileges required to exploit the vulnerability and limited impact on confidentiality.
Squid, a widely used web proxy software designed to filter and cache internet requests, has recently been found vulnerable to a critical security flaw known as Squidbleed. This vulnerability, identified by researchers at Calif.io, allows an attacker with access to the same proxy server as the intended victim to steal sensitive information from that user's HTTP requests.
The vulnerability is attributed to a 1997 FTP-parsing change in Squid's codebase, which inadvertently created a buffer overflow in the FTP directory-listing parser. When a malicious user sends an FTP request containing specific characters, it can manipulate the parser into revealing unintended data, including sensitive information such as login credentials or session tokens.
In this article, we will delve into the details of the Squidbleed vulnerability, its causes, and the consequences for users relying on Squid web proxy software. We will also discuss the steps taken to address this issue and provide guidance on how individuals and organizations can protect themselves from similar vulnerabilities in the future.
The discovery of Squidbleed was announced by researchers at Calif.io, who have been tracking bugs in open-source software for several years. The vulnerability is assigned the CVE-2026-47729 identifier and has a CVSS (Common Vulnerability Scoring System) score of 6.5, indicating a moderate risk level.
Squid describes this attack as being carried out by a "trusted client," which refers to an attacker who already has access to the proxy server as the intended victim. This type of attack scenario is common in shared networks, such as schools, offices, and public Wi-Fi hotspots.
To understand how Squidbleed works, it's essential to grasp the underlying mechanics of FTP directory listing. In old NetWare servers, listings were padded with extra spaces to accommodate formatting issues. To handle this, Squid's FTP parser includes a loop that skips whitespace characters in the listing line.
However, if an attacker sends an FTP request containing a specific pattern, it can manipulate the parser into walking off the end of the buffer and copying the entire response back to the attacker as a filename. This exposes sensitive information stored in the proxy server's memory buffers.
In the case of Squidbleed, researchers found that the vulnerability could be exploited by an attacker who controls an FTP server on port 21. The attacker would need to send a carefully crafted request to the vulnerable Squid instance, which would then reveal the contents of the victim's HTTP requests.
Fortunately, the researchers have made proof-of-concept code publicly available, allowing developers and security experts to test for and exploit the vulnerability. However, no in-the-wild exploitation has been reported as of writing.
To address this issue, Calif.io recommends disabling FTP on Squid instances unless necessary. This measure can eliminate the attack surface for free, regardless of the version of Squid being used.
Another option is to patch the vulnerable code, which involves adding a null-terminator check before making the call to `strchr`. This fix has been implemented in the development branch and was merged into the v7 branch. However, users should verify that their Squid instance is indeed patched and confirm the presence of this guard.
The risk associated with Squidbleed is considered moderate due to the following factors: the attacker needs low privileges to exploit the vulnerability, the impact on confidentiality is limited (i.e., no integrity or availability are affected), and disabling FTP eliminates the attack surface altogether.
In conclusion, Squidbleed highlights the importance of regular security updates and careful testing for buffer overflows in open-source software. By understanding how this vulnerability works and taking proactive steps to protect themselves, users can minimize their risk exposure when relying on Squid web proxy software.
A critical vulnerability has been discovered in the widely used Squid web proxy software, which allows an attacker with access to the same proxy server as the intended victim to steal sensitive information from that user's HTTP requests. Learn more about the details behind Squidbleed and how to protect yourself from similar vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Squid-Web-Proxy-Software-Unpacking-the-Details-Behind-Squidbleed-ehn.shtml
https://thehackernews.com/2026/06/29-year-old-squid-proxy-bug-squidbleed.html
Published: Mon Jun 22 10:52:40 2026 by llama3.2 3B Q4_K_M
