Squidbleed flaw exposes plaintext HTTP requests after 29 years

A decades-old flaw in the Squid web proxy can expose sensitive HTTP traffic to unauthorized parties with access to the same network. Dubbed Squidbleed, the vulnerability stems from a heap over-read that allows attackers to retrieve cleartext requests—including session tokens and credentials—sent through the proxy. The bug has remained undetected since a 1997 change in FTP-parsing code, despite Squid maintaining its default configuration.

How the flaw works

The issue arises when Squid processes certain malformed FTP-related requests. A heap over-read occurs, enabling an adversary already permitted to route traffic through the proxy to extract sensitive data from memory. Because HTTP traffic is transmitted in plaintext, any credentials or session tokens embedded in requests can be captured by the attacker. The flaw persists even in current versions of Squid, as it is tied to a legacy configuration that remains enabled by default.

Risk and mitigation

Organizations relying on Squid for web caching or proxy services should review their configurations and apply updates promptly. While Squid has not issued a dedicated patch, users are advised to disable the affected FTP parsing module if it is not required. Network administrators should also monitor traffic for unusual patterns indicative of exploitation attempts. The disclosure highlights the long-term risks of legacy code persisting in critical infrastructure.

---

Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.