{"id":10509,"date":"2025-10-21T13:25:21","date_gmt":"2025-10-21T06:25:21","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10509"},"modified":"2026-02-05T13:25:30","modified_gmt":"2026-02-05T06:25:30","slug":"lo-hong-nghiem-trong-trong-squid-lam-ro-ri-thong-tin-xac-thuc-nguoi-dung","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/21\/lo-hong-nghiem-trong-trong-squid-lam-ro-ri-thong-tin-xac-thuc-nguoi-dung\/","title":{"rendered":"L\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong Squid l\u00e0m r\u00f2 r\u1ec9 th\u00f4ng tin x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng"},"content":{"rendered":"<p><b>C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a Squid v\u1eeba c\u00f4ng b\u1ed1 v\u00e0 kh\u1eafc ph\u1ee5c m\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng cho ph\u00e9p r\u00f2 r\u1ec9 th\u00f4ng tin x\u00e1c th\u1ef1c HTTP v\u00e0 token b\u1ea3o m\u1eadt khi ph\u1ea7n m\u1ec1m t\u1ea1o trang l\u1ed7i. L\u1ed7 h\u1ed5ng mang m\u00e3 CVE-2025-62168, \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 CVSS 10.0, ph\u00e1t sinh do Squid kh\u00f4ng lo\u1ea1i b\u1ecf d\u1eef li\u1ec7u x\u00e1c th\u1ef1c kh\u1ecfi n\u1ed9i dung ph\u1ea3n h\u1ed3i trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p x\u1eed l\u00fd l\u1ed7i, khi\u1ebfn d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m c\u00f3 th\u1ec3 b\u1ecb ti\u1ebft l\u1ed9 cho b\u00ean th\u1ee9 ba th\u00f4ng qua c\u00e1c trang l\u1ed7i do proxy sinh ra.<\/b><\/p>\n<div style=\"text-align: center\">\n<div class=\"bbImageWrapper  js-lbImage\" title=\"Squid.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/squid-png.17766\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage\" title=\"Squid.png\" src=\"https:\/\/whitehat.vn\/attachments\/squid-png.17766\/\" alt=\"Squid.png\" width=\"700\" height=\"390\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<p>V\u1ea5n \u0111\u1ec1 li\u00ean quan tr\u1ef1c ti\u1ebfp \u0111\u1ebfn c\u01a1 ch\u1ebf g\u1eafn th\u00f4ng tin g\u1ee1 l\u1ed7i v\u00e0o li\u00ean k\u1ebft mailto d\u00e0nh cho qu\u1ea3n tr\u1ecb vi\u00ean, \u0111\u01b0\u1ee3c \u0111i\u1ec1u khi\u1ec3n b\u1edfi tham s\u1ed1 c\u1ea5u h\u00ecnh email_err_data. Khi t\u00f9y ch\u1ecdn n\u00e0y ho\u1ea1t \u0111\u1ed9ng, Squid c\u00f3 th\u1ec3 v\u00f4 t\u00ecnh \u0111\u00ednh k\u00e8m th\u00f4ng tin x\u00e1c th\u1ef1c ho\u1eb7c token n\u1ed9i b\u1ed9 v\u00e0o trang l\u1ed7i. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 khai th\u00e1c \u0111i\u1ec1u n\u00e0y b\u1eb1ng \u0111o\u1ea1n m\u00e3 \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 v\u01b0\u1ee3t qua r\u00e0o ch\u1eafn tr\u00ecnh duy\u1ec7t v\u00e0 tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u xu\u1ea5t hi\u1ec7n trong ph\u1ea3n h\u1ed3i l\u1ed7i.<\/p>\n<p>Theo nh\u00f3m ph\u00e1t tri\u1ec3n, CVE-2025-62168 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn to\u00e0n b\u1ed9 c\u00e1c phi\u00ean b\u1ea3n Squid cho \u0111\u1ebfn 7.1, t\u00f9y thu\u1ed9c v\u00e0o c\u1ea5u h\u00ecnh h\u1ec7 th\u1ed1ng. V\u00ec Squid th\u01b0\u1eddng \u0111\u01b0\u1ee3c tri\u1ec3n khai l\u00e0m reverse proxy ho\u1eb7c gateway cho nhi\u1ec1u d\u1ecbch v\u1ee5 backend, nguy c\u01a1 lan r\u1ed9ng kh\u00f4ng ch\u1ec9 d\u1eebng \u1edf m\u1ed9t m\u00e1y ch\u1ee7 \u0111\u01a1n l\u1ebb m\u00e0 c\u00f3 th\u1ec3 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c d\u1ecbch v\u1ee5 n\u1ed9i b\u1ed9, cho ph\u00e9p m\u1ea1o danh ng\u01b0\u1eddi d\u00f9ng, di chuy\u1ec3n ngang trong m\u1ea1ng ho\u1eb7c chi\u1ebfm quy\u1ec1n c\u00e1c th\u00e0nh ph\u1ea7n ph\u00eda sau proxy.<\/p>\n<p>Squid \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n s\u1eeda trong phi\u00ean b\u1ea3n 7.2, trong \u0111\u00f3 c\u01a1 ch\u1ebf x\u1eed l\u00fd l\u1ed7i \u0111\u00e3 \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt \u0111\u1ec3 x\u00f3a m\u1ecdi d\u1eef li\u1ec7u x\u00e1c th\u1ef1c tr\u01b0\u1edbc khi tr\u1ea3 v\u1ec1 cho client. D\u1ef1 \u00e1n c\u0169ng cung c\u1ea5p b\u1ea3n v\u00e1 m\u00e3 ngu\u1ed3n cho nh\u1eefng m\u00f4i tr\u01b0\u1eddng kh\u00f4ng th\u1ec3 n\u00e2ng c\u1ea5p ngay. Bi\u1ec7n ph\u00e1p t\u1ea1m th\u1eddi cho qu\u1ea3n tr\u1ecb vi\u00ean l\u00e0 v\u00f4 hi\u1ec7u h\u00f3a vi\u1ec7c ch\u00e8n th\u00f4ng tin g\u1ee1 l\u1ed7i v\u00e0o li\u00ean k\u1ebft qu\u1ea3n tr\u1ecb vi\u00ean b\u1eb1ng c\u00e1ch \u0111\u1eb7t email_err_data off trong squid.conf. Qu\u1ea3n tr\u1ecb vi\u00ean c\u00f3 th\u1ec3 ki\u1ec3m tra c\u1ea5u h\u00ecnh b\u1eb1ng l\u1ec7nh sau:<\/p>\n<div class=\"bbCodeBlock bbCodeBlock--screenLimited bbCodeBlock--code\">\n<div class=\"bbCodeBlock-title\">M\u00e3:<\/div>\n<div class=\"bbCodeBlock-content\" dir=\"ltr\">\n<pre class=\"bbCodeCode\" dir=\"ltr\" data-xf-init=\"code-block\" data-lang=\"\"><code>squid -k parse 2&gt;&amp;1 | grep \"email_err_data\"<\/code><\/pre>\n<\/div>\n<\/div>\n<p>Do CVE-2025-62168 c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c m\u00e0 kh\u00f4ng c\u1ea7n quy\u1ec1n \u0111\u1eb7c bi\u1ec7t, c\u00e1c tri\u1ec3n khai Squid c\u00f4ng khai ho\u1eb7c n\u1eb1m t\u1ea1i ranh m\u1ea1ng n\u1ed9i b\u1ed9 \u0111\u1ec1u c\u1ea7n \u0111\u01b0\u1ee3c r\u00e0 so\u00e1t kh\u1ea9n c\u1ea5p. V\u1edbi vai tr\u00f2 trung gian gi\u1eefa ng\u01b0\u1eddi d\u00f9ng v\u00e0 c\u00e1c \u1ee9ng d\u1ee5ng web, ch\u1ec9 m\u1ed9t l\u1ed7i nh\u1ecf trong x\u1eed l\u00fd ngo\u1ea1i l\u1ec7 c\u0169ng c\u00f3 th\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a to\u00e0n b\u1ed9 c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c, bi\u1ebfn h\u1ec7 th\u1ed1ng proxy th\u00e0nh \u0111i\u1ec3m r\u00f2 r\u1ec9 th\u00f4ng tin tr\u1ecdng y\u1ebfu.<\/p>\n<p>C\u00e1c \u0111\u1ed9i v\u1eadn h\u00e0nh \u0111\u01b0\u1ee3c khuy\u1ebfn c\u00e1o ki\u1ec3m tra to\u00e0n b\u1ed9 c\u1ee5m Squid trong h\u1ea1 t\u1ea7ng, tri\u1ec3n khai b\u1ea3n v\u00e1 m\u1edbi nh\u1ea5t ho\u1eb7c t\u1ea1m th\u1eddi v\u00f4 hi\u1ec7u h\u00f3a t\u00ednh n\u0103ng b\u1ecb \u1ea3nh h\u01b0\u1edfng. \u0110\u1ed3ng th\u1eddi, c\u1ea7n r\u00e0 so\u00e1t c\u00e1c d\u1ecbch v\u1ee5 backend \u0111\u1ec3 \u0111\u00e1nh gi\u00e1 nguy c\u01a1 r\u00f2 r\u1ec9 token. V\u1edbi nh\u1eefng h\u1ec7 th\u1ed1ng t\u1eebng hi\u1ec3n th\u1ecb th\u00f4ng tin g\u1ee1 l\u1ed7i trong trang l\u1ed7i, n\u00ean thay \u0111\u1ed5i to\u00e0n b\u1ed9 token c\u00f3 kh\u1ea3 n\u0103ng b\u1ecb l\u1ed9 v\u00e0 t\u0103ng c\u01b0\u1eddng gi\u00e1m s\u00e1t c\u00e1c ho\u1ea1t \u0111\u1ed9ng truy c\u1eadp b\u1ea5t th\u01b0\u1eddng.<\/p>\n<p>CVE-2025-62168 m\u1ed9t l\u1ea7n n\u1eefa cho th\u1ea5y r\u1ee7i ro t\u1eeb nh\u1eefng l\u1ed7i t\u01b0\u1edfng ch\u1eebng nh\u1ecf trong c\u01a1 ch\u1ebf x\u1eed l\u00fd l\u1ed7i. Khi d\u1eef li\u1ec7u x\u00e1c th\u1ef1c kh\u00f4ng \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 \u0111\u00fang c\u00e1ch, l\u1edbp trung gian nh\u01b0 proxy c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh m\u1eaft x\u00edch y\u1ebfu nh\u1ea5t trong chu\u1ed7i ph\u00f2ng th\u1ee7. \u0110\u1ed1i v\u1edbi c\u00e1c t\u1ed5 ch\u1ee9c s\u1eed d\u1ee5ng Squid \u1edf quy m\u00f4 l\u1edbn, vi\u1ec7c ch\u1eadm v\u00e1 ho\u1eb7c c\u1ea5u h\u00ecnh sai ch\u1ec9 c\u1ea7n x\u1ea3y ra m\u1ed9t l\u1ea7n c\u0169ng \u0111\u1ee7 \u0111\u1ec3 m\u1edf ra \u0111\u01b0\u1eddng truy c\u1eadp cho k\u1ebb t\u1ea5n c\u00f4ng v\u00e0o h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9.<\/p>\n<div style=\"text-align: right\"><b><i>Theo Security Online<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/lo-hong-nghiem-trong-trong-squid-lam-ro-ri-thong-tin-xac-thuc-nguoi-dung.18852\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/lo-hong-nghiem-trong-trong-squid-lam-ro-ri-thong-tin-xac-thuc-nguoi-dung.18852\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a Squid v\u1eeba c\u00f4ng b\u1ed1 v\u00e0 kh\u1eafc ph\u1ee5c m\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng cho ph\u00e9p r\u00f2 r\u1ec9 th\u00f4ng tin x\u00e1c th\u1ef1c HTTP v\u00e0 token b\u1ea3o m\u1eadt khi ph\u1ea7n m\u1ec1m t\u1ea1o trang l\u1ed7i. L\u1ed7 h\u1ed5ng mang m\u00e3 CVE-2025-62168, \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 CVSS 10.0, ph\u00e1t sinh do Squid kh\u00f4ng lo\u1ea1i b\u1ecf d\u1eef li\u1ec7u [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10509","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10509"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10509\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}