In association with heise online

29 August 2011, 16:34

Gopher problem in Squid

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Squid logo The developers of the Squid web cache and proxy have fixed a hole in the code for processing Gopher responses. Gopher is a predecessor of the world wide web and is very rarely used nowadays.

If a Gopher server returned a line that was more than 4096 characters long, this caused a buffer overflow in Squid. The Squid developers' advisory says that this "usually" crashes Squid. The authors neglect to comment on whether the hole can be exploited to inject and execute code although usually, this is the case.

Most 3.x versions of Squid are affected. The developers have provided updated packages that no longer contain the flaw. As a workaround, access to Gopher URLs can also be denied via ACL:

acl Gopher proto Gopher
http_access deny Gopher


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit