Bug 985612 (CVE-2015-8936) - VUL-0: CVE-2015-8936: squidGuard: reflected cross site scripting vulnerability
Summary: VUL-0: CVE-2015-8936: squidGuard: reflected cross site scripting vulnerability
Status: RESOLVED FIXED
Alias: CVE-2015-8936
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-8936:6.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-20 09:48 UTC by Andreas Stieger
Modified: 2020-06-29 06:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-06-20 09:48:00 UTC 
From http://www.squidguard.org/

Available patches for version 1.4:
[...]
Patch-20150201: Fixes a XSS vulnerability in the blocking script squidGuard.cgi See the Readme file for details about applying the patch. 

http://www.squidguard.org/Downloads/CHANGELOG
2015-02-01	Fixed a cross site vulnerability in squidGuard.cgi

From the README in the archive:

###############################################################################                                                  
#                                                                             #
#               Patch 20150201 for squidGuard version 1.3 and 1.4             #
#                                                                             #
###############################################################################


Introduction:
=============

This patch fixes a reflected cross site scripting vulnerability in the blocking
script squidGuard.cgi. The vulnerability is triggered when a user clicks a link
to a blocked site where the url has scripting instructions added. 


Mitigation:
===========
The problem only occurs if the %u paramter is used when calling squidGuard.cgi.
Users with static block pages or those who do not use this parameter will not
face this problem.

===

From glancing at the diff, the relevant change seems to include at lease:

> +$url =~ s/</&lt;/g ;
> +$url =~ s/>/&gt;/g ;
> +
>  status("403 Forbidden");

I do not see this issue referenced or applied in our packages. Also no CVE assignment apparent.
Comment 1 Adam Majer 2016-06-20 11:51:28 UTC 
Correct, this patch is missing from SUSE, allowing block info-page to contain unescaped URLs.
Comment 2 Marcus Meissner 2016-06-20 13:43:52 UTC 
cve requested on oss-sec
Comment 4 Andreas Stieger 2016-06-22 06:05:09 UTC 
CVE-2015-8936 was assigned
Comment 7 Swamp Workflow Management 2016-10-12 14:09:24 UTC 
SUSE-SU-2016:2510-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 985612
CVE References: CVE-2015-8936
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squidGuard-1.4-13.10.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squidGuard-1.4-13.10.1
Comment 8 Swamp Workflow Management 2016-10-12 14:09:50 UTC 
SUSE-SU-2016:2511-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 985612
CVE References: CVE-2015-8936
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    squidGuard-1.4-27.1
Comment 9 Adam Majer 2016-10-12 14:19:49 UTC 
fix released. reassigning back to security.
Comment 10 Swamp Workflow Management 2016-10-21 11:08:38 UTC 
openSUSE-SU-2016:2580-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 985612
CVE References: CVE-2015-8936
Sources used:
openSUSE Leap 42.1 (src):    squidGuard-1.4-3.1
Comment 11 Marcus Meissner 2016-12-19 10:46:58 UTC 
released
Comment 12 Swamp Workflow Management 2017-05-25 16:10:02 UTC 
SUSE-SU-2017:1411-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 985612
CVE References: CVE-2015-8936
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    squidGuard-1.4-29.1
SUSE Linux Enterprise Server 12-SP2 (src):    squidGuard-1.4-29.1
Comment 13 Bernhard Wiedemann 2017-10-05 10:02:50 UTC 
This is an autogenerated message for OBS integration:
This bug (985612) was mentioned in
https://build.opensuse.org/request/show/531548 Factory / squidGuard