Date: 06 August 1998
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
A U S C E R T A L E R T
AL-98.02 -- AUSCERT ALERT
Squid cache corruption
6 August 1998
Last revised: --
Squid is a popular web caching tool. It is used locally by web
clients to maintain static copies of frequently referenced web
Several sites offering web services have reported to us that they
have been notified by third parties that pages on their web server
appear to have been corrupted. Further investigation has revealed
that the server pages are intact and that the server has not been
The problem lies only within version 1.NOVM of the Squid cache
server; it does not lie within the web server, the browser or
other versions of Squid. It occurs when clients are allowed to
request objects from the Squid cache during a fast rebuild when
this version of Squid is restarted.
Under these conditions, when a client (such as a browser) requests
a page stored within the Squid cache, another page appears at the
browser, thus leading the user to believe that the server's page
has been corrupted. If the client is a peer cache (rather than a
browser), the peer cache is now poisoned and may need manual
flushing. Note that if Squid detects that a bad object has been
passed on that object will be purged from its cache, meaning that
it will not be passed on again.
We do not believe this to be a security problem per se. However,
several sites have reported being affected by this problem. In
the interests of assisting our members in identifying a known
problem, we have prepared this alert.
Clients using Squid to access a cached web page may view a page
other than the one intended. This may cause the client user and
the server administrator to believe that server pages have been
corrupted when this is not the case.
If you are providing web caching services using Squid version
1.NOVM, then we encourage you to consider applying the following
patch. Sites not using Squid, or a version other than 1.NOVM do
not need to take any of the steps below.
The Squid developers have made a patch available. The patch can
be obtained from this URL:
Before implementing the patch, sites are advised to consult the
documentation at this URL for further information:
Sites experiencing this problem who are unable to apply a patch in
the short term may wish to use one of the following workarounds:
(1) Always force Squid to use slow rebuild by removing the
cache/log-last-clean file on restarts.
(2) Don't accept requests while rebuilding the cache by starting
Squid with the -F option.
AusCERT would like to thank Henrik Nordstrom, Doron Shikmoni of the
Israeli academic CERT, and several anonymous member sites for their
assistance in the workarounds and solution to this problem.
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AUSCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal: Australian Computer Emergency Response Team
The University of Queensland
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----