Dear all,
I read from http://esikker.dk/vul_14462.php says that
A bug in Squid allows users to bypass certain access controls by passing a
URL containing "%00" which exploits the Squid decoding function.
This may insert a NUL character into decoded URLs, which may allow users to
bypass url_regex access control lists that are enforced upon them.
In such a scenario, Squid will insert a NUL character after
the"%00" and it will make a comparison between the URL to the end
of the NUL character rather than the contents after it: the comparison does
not result in a match, and the user's request is not denied.
Does it mean that any url containing the symbol "%" will not work with url_regex?
I ask this because whenever I configure my url_regex to detect % it never does so.
And then i read about the above from some website. Not sure if I am right in my understanding of the above article.
please help me with that, thanks a million for helping
