-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                       AL-98.02  --  AUSCERT ALERT
                         Squid cache corruption
                             6 August 1998

Last revised: --

===========================================================================

PROBLEM:  

    Squid is a popular web caching tool.  It is used locally by web
    clients to maintain static copies of frequently referenced web
    pages.

    Several sites offering web services have reported to us that they
    have been notified by third parties that pages on their web server
    appear to have been corrupted.  Further investigation has revealed
    that the server pages are intact and that the server has not been
    compromised.  

    The problem lies only within version 1.NOVM of the Squid cache
    server; it does not lie within the web server, the browser or
    other versions of Squid.  It occurs when clients are allowed to
    request objects from the Squid cache during a fast rebuild when
    this version of Squid is restarted.

    Under these conditions, when a client (such as a browser) requests
    a page stored within the Squid cache, another page appears at the
    browser, thus leading the user to believe that the server's page
    has been corrupted.  If the client is a peer cache (rather than a
    browser), the peer cache is now poisoned and may need manual
    flushing.  Note that if Squid detects that a bad object has been
    passed on that object will be purged from its cache, meaning that
    it will not be passed on again.

    We do not believe this to be a security problem per se.  However,
    several sites have reported being affected by this problem.  In
    the interests of assisting our members in identifying a known
    problem, we have prepared this alert.


IMPACT:   

    Clients using Squid to access a cached web page may view a page
    other than the one intended.  This may cause the client user and
    the server administrator to believe that server pages have been
    corrupted when this is not the case.


SOLUTION: 

    If you are providing web caching services using Squid version
    1.NOVM, then we encourage you to consider applying the following
    patch.  Sites not using Squid, or a version other than 1.NOVM do
    not need to take any of the steps below.

    The Squid developers have made a patch available.  The patch can
    be obtained from this URL:

      http://squid.nlanr.net/Squid/1.NOVM/1.NOVM.22/squid-1.NOVM.22.rebuild_corruption.patch

    Before implementing the patch, sites are advised to consult the
    documentation at this URL for further information:

      http://squid.nlanr.net/Squid/1.NOVM/patches.html

    Sites experiencing this problem who are unable to apply a patch in
    the short term may wish to use one of the following workarounds:

    (1) Always force Squid to use slow rebuild by removing the
        cache/log-last-clean file on restarts.

    (2) Don't accept requests while rebuilding the cache by starting
        Squid with the -F option.

- ---------------------------------------------------------------------------
AusCERT would like to thank Henrik Nordstrom, Doron Shikmoni of the
Israeli academic CERT, and several anonymous member sites for their
assistance in the workarounds and solution to this problem.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AUSCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:  Australian Computer Emergency Response Team
Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNcmITih9+71yA2DNAQGCDgQAmPPt5Q3jybUpqGI6VOcqD2/tTKAe1ppI
6JIGRTV32MCN6XTUaMhC+kdyDNCBhJYvaboAiByW9INJf+Ry7Jq+sUJJurTmmGN9
urKqNhfIw+mIsjcJ3+m8LDgs4aLuIqYECGa5Bdl248Snig1iRC0tL9Rye3Ll4gHe
AbJR3oxP1MA=
=3rA5
-----END PGP SIGNATURE-----