Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2004-0189

Published: 15/03/2004 Updated: 10/10/2017
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 755
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Squid

Vulnerability Summary

The "%xx" URL decoding function in Squid 2.5STABLE4 and previous versions allows remote malicious users to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.

Vulnerable Product Search on Vulmon Subscribe to Product

squid squid 2.4_stable7

squid squid 2.5_stable3

squid squid 2.0_patch2

squid squid 2.1_patch2

squid squid 2.3_stable5

squid squid 2.4

squid squid 2.5_stable4

Vendor Advisories

Debian Security Advisories: DSA-474-1 squid -- ACL bypass
A vulnerability was discovered in squid, an Internet object cache, whereby access control lists based on URLs could be bypassed (CAN-2004-0189) Two other bugs were also fixed with patches squid-24STABLE7-url_escapepatch (a buffer overrun which does not appear to be exploitable) and squid-24STABLE7-url_portpatch (a potential denial of service ...

Exploits

Exploit DB: Squid Proxy 2.4/2.5 - NULL URL Character Unauthorized Access
source: wwwsecurityfocuscom/bid/9778/info It has been reported that Squid Proxy may be prone to an unauthorized access vulnerability that may allow remote users to bypass access controls resulting in unauthorized access to attacker-specified resources The vulnerability presents itself when a URI that is designed to access a specific loca ...

References

NVD-CWE-Otherhttp://www.squid-cache.org/Advisories/SQUID-2004_1.txthttp://www.securityfocus.com/bid/9778http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000838http://www.debian.org/security/2004/dsa-474http://security.gentoo.org/glsa/glsa-200403-11.xmlhttp://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:025http://www.redhat.com/support/errata/RHSA-2004-133.htmlhttp://www.redhat.com/support/errata/RHSA-2004-134.htmlftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.16/SCOSA-2005.16.txtftp://patches.sgi.com/support/free/security/advisories/20040404-01-U.aschttp://www.osvdb.org/5916http://marc.info/?l=bugtraq&m=108084935904110&w=2https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A941https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A877https://exchange.xforce.ibmcloud.com/vulnerabilities/15366https://nvd.nist.govhttps://www.debian.org/security/./dsa-474https://www.exploit-db.com/exploits/23777/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-3400deserializationCVE-2024-21788CVE-2023-42433CVE-2024-21841CVE-2024-22095local file inclusionmemory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook