Linux.com Article DB: Squid 2.2 Issues.

After decoding the base64 encoded "user:password" pair given by the client, squid doesn't strip out any '\n' or '\r' found in the resulting string. Given such a string, any external authenticator will receive two lines instead of one, and most probably send two results. Now, any subsequent authentification exchange will has its answer shifted by one. Therefore, a malicious user can gain access to sites he or she should not have access to. Click more for the stable5 patch.

Originally Published: Wednesday, 27 October 1999	Author: Quentin Cregan
Published to: news_enhance_security/Security News	Page: 1/1 - [Printable]
Squid 2.2 Issues. After decoding the base64 encoded "user:password" pair given by the client, squid doesn't strip out any '\n' or '\r' found in the resulting string. Given such a string, any external authenticator will receive two lines instead of one, and most probably send two results. Now, any subsequent authentification exchange will has its answer shifted by one. Therefore, a malicious user can gain access to sites he or she should not have access to. Click more for the stable5 patch.