FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squid ACL bypass due to URL decoding bug

Affected packages
squid < 2.5.5

Details

VuXML ID 705e003a-7f36-11d8-9645-0020ed76ef5a
Discovery 2004-02-29
Entry 2004-03-26
Modified 2015-05-01

From the Squid advisory:

Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.

References

CVE Name CVE-2004-0189
URL http://www.squid-cache.org/Advisories/SQUID-2004_1.txt