The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.

From the Squid advisory :

Squid versions 2.5.STABLE4 and earlier contain a bug in the '%xx' URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.

A vulnerability was discovered in squid, an Internet object cache, whereby access control lists based on URLs could be bypassed ( CAN-2004-0189). Two other bugs were also fixed with patches squid-2.4.STABLE7-url_escape.patch (a buffer overrun which does not appear to be exploitable) and squid-2.4.STABLE7-url_port.patch (a potential denial of service).

The remote host is affected by the vulnerability described in GLSA-200403-11 (Squid ACL [url_regex] bypass vulnerability)

    A bug in Squid allows users to bypass certain access controls by passing a     URL containing '%00' which exploits the Squid decoding function.
    This may insert a NUL character into decoded URLs, which may allow users to     bypass url_regex access control lists that are enforced upon them.
    In such a scenario, Squid will insert a NUL character after     the'%00' and it will make a comparison between the URL to the end     of the NUL character rather than the contents after it: the comparison does     not result in a match, and the user's request is not denied.
  Impact :

    Restricted users may be able to bypass url_regex access control lists that     are enforced upon them which may cause unwanted network traffic as well as     a route for other possible exploits. Users of Squid 2.5STABLE4 and below     who require the url_regex features are recommended to upgrade to 2.5STABLE5     to maintain the security of their infrastructure.
  Workaround :

    A workaround is not currently known for this issue. All users are advised     to upgrade to the latest version of Squid.

The remote Squid caching proxy, according to its version number, is vulnerable to a flaw that may allow an attacker to gain access to unauthorized resources.  The flaw in itself consists of sending a malformed username containing the %00 (null) character, that may allow an attacker to access otherwise restricted resources. 

A vulnerability was discovered in squid version 2.5.STABLE4 and earlier with the processing of %-encoded characters in a URL. If a squid configuration uses ACLs (Access Control Lists), it is possible for a remote attacker to create URLs that would not be properly tested against squid's ACLs, potentially allowing clients to access URLs that would otherwise be disallowed.

As well, the provided packages for Mandrake Linux 9.2 and 9.1 include a new Access Control type called 'urllogin' which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information. While this Access Control type is available, it is not used in the default configuration.

The updated packages are patched to protect against these vulnerabilities.

An updated squid package is available that fixes a security vulnerability in URL decoding and provides a new ACL type for protecting vulnerable clients.

Squid is a full-featured Web proxy cache.

A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.

Users of Squid should update to these erratum packages which are not vulnerable to this issue.

In addition, these packages contain a new Access Control type, 'urllogin', which can be used to protect vulnerable Microsoft Internet Explorer clients from accessing URLs that contain login information.
Such URLs are often used by fraudsters to trick web users into revealing valuable personal data.

Note that the default Squid configuration does not make use of this new access control type. You must explicitly configure Squid with ACLs that use this new type, in accordance with your own site policies.

The remote squid caching proxy, according to its version number, is vulnerable to a flaw that could allow an attacker to gain access to unauthorized resources.

The flaw itself consists of sending a malformed username containing the %00 (null) character, which could allow an attacker to access otherwise restricted resources.

ID	Name	Product	Family	Severity
38021	FreeBSD : squid ACL bypass due to URL decoding bug (705e003a-7f36-11d8-9645-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
15311	Debian DSA-474-1 : squid - ACL bypass	Nessus	Debian Local Security Checks	high
14462	GLSA-200403-11 : Squid ACL [url_regex] bypass vulnerability	Nessus	Gentoo Local Security Checks	high
1212	Squid < 2.5.STABLE5 %xx URL Encoding ACL Bypass	Nessus Network Monitor	Web Servers	high
14124	Mandrake Linux Security Advisory : squid (MDKSA-2004:025)	Nessus	Mandriva Local Security Checks	high
12481	RHEL 2.1 / 3 : squid (RHSA-2004:133)	Nessus	Red Hat Local Security Checks	high
12124	Squid %xx URL Encoding ACL Bypass	Nessus	Firewalls	high

Detections

Analytics

CVE-2004-0189

critical

Tenable Plugins

high

high

high

high

high

high

high