CVE-2001-0843 in Squid
Summary
by MITRE
Squid proxy server 2.4 and earlier allows remote attackers to cause a denial of service (crash) via a mkdir-only FTP PUT request.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability identified as CVE-2001-0843 affects Squid proxy server versions 2.4 and earlier, representing a critical denial of service flaw that can be exploited by remote attackers to crash the target system. This issue specifically manifests through a crafted FTP PUT request that contains only a mkdir command without any actual file data, creating a scenario where the proxy server fails to properly handle such malformed requests. The vulnerability stems from insufficient input validation and error handling within the FTP protocol implementation of the Squid proxy software, which does not adequately sanitize or reject requests that attempt to create directories without accompanying file content.
The technical exploitation of this vulnerability involves sending a specially crafted FTP PUT request that includes a mkdir command but lacks the expected file data payload. When Squid processes this request, it fails to properly validate the request structure and subsequently crashes or terminates unexpectedly. This behavior represents a classic buffer overflow or improper state handling vulnerability that falls under the category of software fault tolerance issues. The flaw demonstrates poor defensive programming practices where the application does not implement proper request validation mechanisms to detect and reject malformed FTP commands that could lead to system instability.
From an operational impact perspective, this vulnerability poses significant risks to organizations relying on Squid proxy servers for network traffic management and caching. A successful exploitation can result in complete service disruption, forcing administrators to restart proxy services and potentially interrupting legitimate user access to network resources. The remote nature of the attack means that adversaries can exploit this vulnerability from outside the network perimeter without requiring authentication or prior access to the target system. This makes it particularly dangerous in environments where Squid proxies are exposed to untrusted networks or internet-facing services, as the attack can be executed by anyone with network access to the vulnerable proxy server.
The vulnerability aligns with CWE-129, which describes improper validation of input boundaries, and demonstrates characteristics consistent with CWE-248, indicating an exception not caught by the application. From an ATT&CK framework perspective, this vulnerability maps to T1499.004, which covers network denial of service attacks, and T1071.004, covering application layer protocol traffic. Organizations should implement immediate mitigations including upgrading to Squid versions 2.5 or later where this vulnerability has been addressed, applying network-level firewalls to restrict FTP access to trusted sources, and implementing monitoring solutions to detect unusual patterns in FTP traffic that might indicate exploitation attempts. Additionally, administrators should consider disabling unnecessary FTP functionality and implementing proper logging and alerting mechanisms to quickly identify and respond to potential exploitation attempts.