Dear all,
I read from http://esikker.dk/vul_14462.php says that
> A bug in Squid allows users to bypass certain access controls by passing a
> URL containing "%00" which exploits the Squid decoding function.
> This may insert a NUL character into decoded URLs, which may allow
> users to
> bypass url_regex access control lists that are enforced upon them.
> In such a scenario, Squid will insert a NUL character after
> the"%00" and it will make a comparison between the URL to the end
> of the NUL character rather than the contents after it: the comparison
> does
> not result in a match, and the user's request is not denied.
Does it mean that any url containing the symbol "%" will not work with
url_regex?
I ask this because whenever I configure my url_regex to detect % it
never does so.
And then i read about the above from some website.
Not sure if I am right in my understanding of the above article.
please help me with that,
thanks a million for helping
Received on Tue Feb 15 2005 - 02:09:17 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST