Password Leak In Squid Cache Log

RTEAdmin

When certain errors occur in Squid, entries may appear in the Squid Cache Table log that reveal user names and passwords of pfSense users and administrators.

In this configuration, a Target category ("<category name="">") was created in SquidGuard containing domains which are intended to be white-listed. That Target category was added to a Group ACL ("<acl name="">").

The Target category contained only a list of FQDNs in the Domain List, and Redirect mode was set to "none". The Group ACL as set as follows (Please note that the entries enclosed in "<" and ">" represent data that has been anonymized for this post.):

Client (source): 192.168.32.0/19
Time: none
Target Rules: ^ <category name="">all [ <category name="">all]
                    <category name="">access: whitelist, allow
Redirect mode: none
Rewrite: none
Log: (checked to enable logging for the ACL)

SquidGuard is enabled for LDAP DN <user id="">with LDAP DN Password <password>. Strip NT domain name and Strip Kerberos Realm are both enabled, LDAP Version 3 is selected, and logging is enabled.

Following enabling SquidGuard, the following entries appear in the Squid Cache log (Again, entries enclosed in "<" and ">" represent data that has been anonymized for this post.):

BEGIN LOG

14.03.2018 17:17:43 ERROR: URL-rewrite produces invalid request: GET <user id="">ldapbindpass <password>ldapprotover 3stripntdomain truestriprealm true# <acl description="">src <category name="">{ ip 192.168.32.0/19 log block.log}# <category description="">dest <category name="">{ domainlist <category name="">/domains log block.log}# rew safesearch { s@(google..*/search?.*ERR HTTP/1.1

14.03.2018 17:11:33 ERROR: URL-rewrite produces invalid request: CONNECT <user id="">ldapbindpass <password>ldapprotover 3stripntdomain truestriprealm true# <acl description="">src <acl name="">{ ip 192.168.32.0/19 log block.log}# <category description="">dest <category name="">{ domainlist <category name="">/domains log block.log}# rew safesearch { s@(google..*/search?.*ERR HTTP/1.1

14.03.2018 18:11:32 pinger: Initialising ICMP pinger …

END LOG

I haven't figured out what the error is yet, but the LDAP user ID and password should not appear in the log because users can see each others passwords.

If there is a better place to report this, I'll be grateful to know.</category></category></category></acl></acl></password></user></category></category></category></category></acl></password></user></password></user></category></category></category></acl></category>

jimp

As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

RTEAdmin

@jimp:

As you can see from the log entry, the problem appears to be from safesearch, not the category itself.

That would be something to bring up to squid directly, though that may be a squidGuard issue as well (and it has been essentially abandoned).

Yes, thanks for confirming that about squidguard. I'm considering switching to suricata, anyway.

You can disable logging in squid, which could help, but if you are worried about users seeing the passwords, why do those users have access to the squid log at all, or pfSense?

If I get hit by a truck, a couple of other sysadmins are authorized to access pfSense. And while we configure logging to minimize noise, we /never/ turn it off. We actually use our logs.