[15666] in bugtraq
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
daemon@ATHENA.MIT.EDU (Vitaly Fedrushkov)
Thu Jul 6 15:47:46 2000
Message-Id: <20000706083307.19958.qmail@securityfocus.com>
Date: Thu, 6 Jul 2000 08:33:07 -0000
Reply-To: Vitaly Fedrushkov <willy@LUKOIL.UU.RU>
From: Vitaly Fedrushkov <willy@LUKOIL.UU.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <s96328d2.051@mail.firstdatacorp.co.uk>
Good $daytime,
The same flaw in Squid was discovered (and fixed -- by
Henrik Nordstrom) back in February 1999.
If I recall properly, Apache turned out to be immune to
this problem. I had no other software to check. Now I
see I should have asked others :)
It should be noted that "end result" depends on server
implementation: some servers understand escaped
punctuation such as '/' or '~' but not letters.
Admins reading this -- please check your proxies!
Though if you're using squid >= 1.1.20 -- don't care :)
Thanks for your time.
Regards,
Willy.
--
"No easy hope or lies | Vitaly "Willy the Pooh"
Fedrushkov
Shall bring us to our goal, | Control Systems and
Processes Division
But iron sacrifice | LUKoil Company, Chelyabinsk
branch
Of Body, Will and Soul." | mailto:willy@lukoil.uu.ru
+7 3512 620367
R.Kipling | VVF1-RIPE
