willyLUKOIL.UU.RU

• Next message: Frank Berzau: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Previous message: Steven M. Bellovin: "Re: ftpd: the advisory version"
• In reply to: Kevin R Smith: "Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Next in thread: Frank Berzau: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Reply: Vitaly Fedrushkov: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good $daytime,

The same flaw in Squid was discovered (and fixed -- by
Henrik Nordstrom) back in February 1999.

If I recall properly, Apache turned out to be immune to
this problem. I had no other software to check. Now I
see I should have asked others :)

It should be noted that "end result" depends on server
implementation: some servers understand escaped
punctuation such as '/' or '~' but not letters.

Admins reading this -- please check your proxies!
Though if you're using squid >= 1.1.20 -- don't care :)

Thanks for your time.

  Regards,
  Willy.

--
"No easy hope or lies        | Vitaly "Willy the Pooh" 
Fedrushkov
 Shall bring us to our goal, | Control Systems and 
Processes Division
 But iron sacrifice          | LUKoil Company, Chelyabinsk 
branch
 Of Body, Will and Soul."    | mailto:willylukoil.uu.ru  
+7 3512 620367
                   R.Kipling | VVF1-RIPE

• Next message: Frank Berzau: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Previous message: Steven M. Bellovin: "Re: ftpd: the advisory version"
• In reply to: Kevin R Smith: "Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Next in thread: Frank Berzau: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Reply: Vitaly Fedrushkov: "Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]