BID:9778

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

Info

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

Bugtraq ID:	9778
Class:	Input Validation Error
CVE:	CVE-2004-0189
Remote:	Yes
Local:	No
Published:	Mar 01 2004 12:00AM
Updated:	Jul 12 2009 03:06AM
Credit:	Discovery is credited to Mitch Adair.
Vulnerable:	Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Trustix Secure Linux 2.0 Trustix Secure Linux 1.5 Squid Web Proxy Cache 2.5 .STABLE4 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + OpenPKG OpenPKG 2.0 + OpenPKG OpenPKG Current Squid Web Proxy Cache 2.5 .STABLE3 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 + OpenPKG OpenPKG 1.3 + Redhat Desktop 3.0 + Redhat Enterprise Linux AS 3 + Redhat Enterprise Linux ES 3 + Redhat Enterprise Linux WS 3 + Redhat Fedora Core1 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 Squid Web Proxy Cache 2.5 .STABLE1 + Mandriva Linux Mandrake 9.1 ppc + Mandriva Linux Mandrake 9.1 + S.u.S.E. Linux Personal 8.2 Squid Web Proxy Cache 2.4 .STABLE7 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + MandrakeSoft Multi Network Firewall 2.0 + Redhat Enterprise Linux AS 2.1 IA64 + Redhat Enterprise Linux AS 2.1 + Redhat Enterprise Linux ES 2.1 IA64 + Redhat Enterprise Linux ES 2.1 + Redhat Enterprise Linux WS 2.1 IA64 + Redhat Enterprise Linux WS 2.1 + Redhat Linux Advanced Work Station 2.1 Squid Web Proxy Cache 2.4 .STABLE6 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 Squid Web Proxy Cache 2.4 .STABLE2 Squid Web Proxy Cache 2.4 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 Squid Web Proxy Cache 2.3 .STABLE5 Squid Web Proxy Cache 2.3 .STABLE4 Squid Web Proxy Cache 2.1 PATCH2 Squid Web Proxy Cache 2.0 PATCH2 SGI ProPack 3.0 SGI ProPack 2.4 SGI ProPack 2.3 SCO Unixware 7.1.4 SCO Open Server 5.0.7 SCO Open Server 5.0.6 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 Redhat Advanced Workstation for the Itanium Processor 2.1 Gentoo Linux 1.4 _rc3 Gentoo Linux 1.4 _rc2 Gentoo Linux 1.4 _rc1 Gentoo Linux 1.4 Gentoo Linux 1.2 Gentoo Linux 1.1 a Gentoo Linux 0.7 Gentoo Linux 0.5

Not Vulnerable:	Squid Web Proxy Cache 2.5 .STABLE5 + S.u.S.E. Linux Personal 9.1 x86_64 + S.u.S.E. Linux Personal 9.1 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32

Discussion

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

It has been reported that Squid Proxy may be prone to an unauthorized access vulnerability that may allow remote users to bypass access controls resulting in unauthorized access to attacker-specified resources. The vulnerability presents itself when a URI that is designed to access a specific location with a supplied username, contains '%00' characters. This sequence may be placed as part of the username value prior to the @ symbol in the malicious URI.

Squid Proxy versions 2.0 to 2.5 STABLE4 are reported to be prone to this vulnerability.

Exploit / POC

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

The following proof of concept has been supplied:

http://foo%[email protected]/

Solution / Fix

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

Solution:
The vendor has released version 2.5 STABLE5 to address this issue.

Turbolinux has released an advisory (TLSA-2004-24) and fixes to address this issue. Customers are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes.

SGI has released an advisory 20040404-01-U and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes. Fixes are linked below.

Red Hat has released an advisory (RHSA-2004:133-12) and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Conectiva have released a security advisory (CLA-2004:838), and updates
to address this issue in Conectiva products. Users are advised to apply
these updates as soon as possible, further details regarding obtaining
and installing these updates can be found in the referenced advisory.

Red Hat has released an advisory (RHSA-2004:134-01) and fixes to address this issue on Red Hat Linux 9 platforms. Customers affected by this issue are advised to apply the appropriate updates. Please see referenced advisory for additional information, fix is linked below.

Gentoo has released advisory GLSA 200403-11 to address this issue. To update the system, enter the following commands:
# emerge sync
# emerge -pv ">=net-www/squid-2.5.5"
# emerge ">=net-www/squid-2.5.5"

Mandrake has released an advisory MDKSA-2004:025 to address this issue. Please see the referenced advisory for more information.

OpenPKG has released an advisory OpenPKG-SA-2004.008 to address this issue in OpenPKG CURRENT, 2.0 and 1.3. Please see the referenced advisory for more information.

Debian has released advisory DSA 474-1 dealing with this issue.

RedHat has released an advisory FEDORA-2004-104 to address this issue in Fedora. Please see the referenced advisory for more information.

Trustix has released an advisory TSL-2004-0019 with fixes to address this issue. Please see the referenced advisory for more information.

SGI has released an advisory (20040506-01-U) with Patch 10075 for SGI
ProPack 3 to address this and other issues. Please see the referenced
advisory for more information.

SCO has released an advisory (SCOSA-2004.13) to address this issue for OpenServer 5.0.6 and 5.0.7. Please see the referenced advisory for further information on obtaining fixes for affected operating systems.

SCO has released an advisory (SCOSA-2005.16) to address this issue in UnixWare 7.1.4. Please see the referenced advisory for further information on obtaining fixes.

Squid Web Proxy Cache 2.0 PATCH2

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.1 PATCH2

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.3 .STABLE4

TurboLinux squid-2.5.STABLE6-7.i586.rpm
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/ updates/RPMS/squid-2.5.STABLE6-7.i586.rpm

Squid Web Proxy Cache 2.3 .STABLE5

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

SGI ProPack 2.3

SGI patch10067.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/patch1 0067.tar.gz

Squid Web Proxy Cache 2.4 .STABLE7

Mandrake squid-2.4.STABLE7-1.2.M82mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

Mandrake squid-2.4.STABLE7-2.1.C21mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

Mandrake squid-2.4.STABLE7-2.1.C21mdk.x86_64.rpm
http://www.mandrakesecure.net/en/ftp.php

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Trustix squid-2.4.STABLE7-2tr.i586.rpm
Secure Linux 1.5
ftp://ftp.trustix.org/pub/trustix/updates/

Squid Web Proxy Cache 2.4 .STABLE6

TurboLinux squid-2.5.STABLE6-7.i586.rpm
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updat es/RPMS/squid-2.5.STABLE6-7.i586.rpm

TurboLinux squid-2.5.STABLE6-7.i586.rpm
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/ updates/RPMS/squid-2.5.STABLE6-7.i586.rpm

Squid Web Proxy Cache 2.4

Conectiva squid-2.4.7-1U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-2.4.7-1U80_4cl.i386.r pm

Conectiva squid-2.5.5-25761U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-2.5.5-25761U90_3cl.i3 86.rpm

Conectiva squid-auth-2.4.7-1U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-auth-2.4.7-1U80_4cl.i 386.rpm

Conectiva squid-auth-2.5.5-25761U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-auth-2.5.5-25761U90_3 cl.i386.rpm

Conectiva squid-doc-2.4.7-1U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-doc-2.4.7-1U80_4cl.i3 86.rpm

Conectiva squid-extra-templates-2.5.5-25761U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-extra-templates-2.5.5 -25761U90_3cl.i386.rpm

Conectiva squid-templates-2.4.7-1U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/squid-templates-2.4.7-1U80_ 4cl.i386.rpm

Debian squid-cgi_2.4.6-2woody1_mipsel.deb
Little Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody1_mipsel.deb

Debian squid-cgi_2.4.6-2woody2_alpha.deb
Alpha Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_alpha.deb

Debian squid-cgi_2.4.6-2woody2_arm.deb
ARM Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_arm.deb

Debian squid-cgi_2.4.6-2woody2_hppa.deb
HP Precision Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_hppa.deb

Debian squid-cgi_2.4.6-2woody2_i386.deb
IA-32 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_i386.deb

Debian squid-cgi_2.4.6-2woody2_ia64.deb
IA-64 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_ia64.deb

Debian squid-cgi_2.4.6-2woody2_m68k.deb
Motorola 680x0 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_m68k.deb

Debian squid-cgi_2.4.6-2woody2_mips.deb
Big Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_mips.deb

Debian squid-cgi_2.4.6-2woody2_powerpc.deb
PowerPC Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_powerpc.deb

Debian squid-cgi_2.4.6-2woody2_s390.deb
ISM S/390 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_s390.deb

Debian squid-cgi_2.4.6-2woody2_sparc.deb
Sun Sparc Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2 woody2_sparc.deb

Debian squid_2.4.6-2woody1_mipsel.deb
Little Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y1_mipsel.deb

Debian squid_2.4.6-2woody2_arm.deb
ARM Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_arm.deb

Debian squid_2.4.6-2woody2_hppa.deb
HP Precision Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_hppa.deb

Debian squid_2.4.6-2woody2_i386.deb
IA-32 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_i386.deb

Debian squid_2.4.6-2woody2_ia64.deb
IA-64 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_ia64.deb

Debian squid_2.4.6-2woody2_m68k.deb
Motorola 680x0 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_m68k.deb

Debian squid_2.4.6-2woody2_mips.deb
Big Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_mips.deb

Debian squid_2.4.6-2woody2_powerpc.deb
PowerPC Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_powerpc.deb

Debian squid_2.4.6-2woody2_s390.deb
ISM S/390 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_s390.deb

Debian squid_2.4.6-2woody2_sparc.deb
Sun Sparc Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_sparc.deb

Debian squidclient_2.4.6-2woody1_mipsel.deb
Little Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody1_mipsel.deb

Debian squidclient_2.4.6-2woody2_alpha.deb
Alpha Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_alpha.deb

Debian squidclient_2.4.6-2woody2_arm.deb
ARM Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_arm.deb

Debian squidclient_2.4.6-2woody2_hppa.deb
HP Precision Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_hppa.deb

Debian squidclient_2.4.6-2woody2_i386.deb
IA-32 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_i386.deb

Debian squidclient_2.4.6-2woody2_ia64.deb
IA-64 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_ia64.deb

Debian squidclient_2.4.6-2woody2_m68k.deb
Motorola 680x0 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_m68k.deb

Debian squidclient_2.4.6-2woody2_mips.deb
Big Endian MIPS Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_mips.deb

Debian squidclient_2.4.6-2woody2_powerpc.deb
PowerPC Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_powerpc.deb

Debian squidclient_2.4.6-2woody2_s390.deb
ISM S/390 Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_s390.deb

Debian squidclient_2.4.6-2woody2_sparc.deb
Sun Sparc Architecture:
http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6 -2woody2_sparc.deb

Debian squid_2.4.6-2woody2_alpha.deb
Alpha Architecture:
http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2wood y2_alpha.deb

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.4 .STABLE2

TurboLinux squid-2.5.STABLE6-7.i586.rpm
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updat es/RPMS/squid-2.5.STABLE6-7.i586.rpm

SGI ProPack 2.4

SGI patch10067.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0067.tar.gz

Squid Web Proxy Cache 2.5 .STABLE4

Mandrake squid-2.5.STABLE4-1.100mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

OpenPKG squid-2.5.4-2.0.1.src.rpm
ftp://ftp.openpkg.org/release/2.0/UPD/squid-2.5.4-2.0.1.src.rpm

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

Squid Web Proxy Cache 2.5 .STABLE1

Mandrake squid-2.5.STABLE1-7.1.91mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

Mandrake squid-2.5.STABLE1-7.1.91mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php

Squid Web Proxy Cache 2.5 .STABLE3

Mandrake squid-2.5.STABLE3-3.1.92mdk.amd64.rpm
http://www.mandrakesecure.net/en/ftp.php

Mandrake squid-2.5.STABLE3-3.1.92mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php

OpenPKG squid-2.5.3-1.3.1.src.rpm
ftp://ftp.openpkg.org/release/1.3/UPD/squid-2.5.3-1.3.1.src.rpm

RedHat squid-2.5.STABLE3-1.fc1.i386.rpm
i386 platform.
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /squid-2.5.STABLE3-1.fc1.i386.rpm

RedHat squid-2.5.STABLE3-1.fc1.x86_64.rpm
i386 platform.
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/x86_64/squid-2.5.STABLE3-1.fc1.x86_64.rpm

RedHat squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm
i386 platform.
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/squid-debuginfo-2.5.STABLE3-1.fc1.i386.rpm

RedHat squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm
i386 platform.
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/x86_64/debug/squid-debuginfo-2.5.STABLE3-1.fc1.x86_64.rpm

Squid squid-2.5.STABLE5.tar.gz
http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gz

SGI ProPack 3.0

SGI patch10075.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/3/

SCO Unixware 7.1.4

SCO SCOSA-2005.16
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.16

References

Squid Proxy NULL URL Character Unauthorized Access Vulnerability

References:

RHSA-2004:133-12 - Updated squid package fixes security vulnerability (Red Hat)
Squid Proxy Cache '%00' URL Character Access Control Bug (SecurityTracker)
Squid Web Proxy Cache Homepage (Squid)