Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Password Leak In Squid Cache Log

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 985 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RTEAdmin
      last edited by

      When certain errors occur in Squid, entries may appear in the Squid Cache Table log that reveal user names and passwords of pfSense users and administrators.

      In this configuration, a Target category ("<category name="">") was created in SquidGuard containing domains which are intended to be white-listed. That Target category was added to a Group ACL ("<acl name="">").

      The Target category contained only a list of FQDNs in the Domain List, and Redirect mode was set to "none". The Group ACL as set as follows (Please note that the entries enclosed in "<" and ">" represent data that has been anonymized for this post.):

      Client (source): 192.168.32.0/19
      Time: none
      Target Rules: ^ <category name="">all [ <category name="">all]
                          <category name="">access: whitelist, allow
      Redirect mode: none
      Rewrite: none
      Log: (checked to enable logging for the ACL)

      SquidGuard is enabled for LDAP DN <user id="">with LDAP DN Password <password>. Strip NT domain name and Strip Kerberos Realm are both enabled, LDAP Version 3 is selected, and logging is enabled.

      Following enabling SquidGuard, the following entries appear in the Squid Cache log (Again, entries enclosed in "<" and ">" represent data that has been anonymized for this post.):

      BEGIN LOG

      14.03.2018 17:17:43 ERROR: URL-rewrite produces invalid request: GET <user id="">ldapbindpass <password>ldapprotover 3stripntdomain truestriprealm true# <acl description="">src <category name="">{ ip 192.168.32.0/19 log block.log}# <category description="">dest <category name="">{ domainlist <category name="">/domains log block.log}# rew safesearch { s@(google..*/search?.*ERR HTTP/1.1

      14.03.2018 17:11:33 ERROR: URL-rewrite produces invalid request: CONNECT <user id="">ldapbindpass <password>ldapprotover 3stripntdomain truestriprealm true# <acl description="">src <acl name="">{ ip 192.168.32.0/19 log block.log}# <category description="">dest <category name="">{ domainlist <category name="">/domains log block.log}# rew safesearch { s@(google..*/search?.*ERR HTTP/1.1

      14.03.2018 18:11:32 pinger: Initialising ICMP pinger …

      END LOG

      I haven't figured out what the error is yet, but the LDAP user ID and password should not appear in the log because users can see each others passwords.

      If there is a better place to report this, I'll be grateful to know.</category></category></category></acl></acl></password></user></category></category></category></category></acl></password></user></password></user></category></category></category></acl></category>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

        That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

        You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          RTEAdmin
          last edited by

          @jimp:

          As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

          That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

          Yes, thanks for confirming that about squidguard. I'm considering switching to suricata, anyway.

          You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

          If I get hit by a truck, a couple of other sysadmins are authorized to access pfSense. And while we configure logging to minimize noise, we /never/ turn it off. We actually use our logs.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.