{"vuid":"VU#260421","idnumber":"260421","name":"Squid fails to parse empty access control lists correctly","keywords":["Squid","ACL","access control list","auth schemes","proxy_auth"],"overview":"The Squid web proxy cache may fail to handle empty Access Control Lists (ACLs) in the intended manner.","clean_desc":"Squid functions as a web proxy and cache application for a number of protocols. However, Squid Access Control List (ACL) routines may not parse an empty list as intended. An empty list may be interpreted as a nonexistent list rather than a list containing no members. This may or may not be the intended behavior.","impact":"Unintended access may be granted to all members instead of the intended result of access being denied to all members.","resolution":"Apply an update\nThis flaw has been patched in Squid 2.5.STABLE8. More details are available in the Squid Bugzilla bug #1166.","workarounds":"Team Squid recommends: Pay attention to warnings from \"squid -k parse\" and do not use configurations where there are warnings about access controls in production.","sysaffected":"","thanks":"Thanks to Team Squid for reporting this vulnerability.","author":"This document was written by Ken MacInnis.","public":["www.squid-cache.org/bugs/show_bug.cgi?id=1166","www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls","www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch","http://www.debian.org/security/2005/dsa-667","http://secunia.com/advisories/14157/","http://secunia.com/advisories/14343/"],"cveids":["CVE-2005-0194"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-02-17T15:12:42Z","publicdate":"2004-12-21T00:00:00Z","datefirstpublished":"2005-02-21T21:39:19Z","dateupdated":"2005-02-22T20:21:48Z","revision":8,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"9","cam_impact":"4","cam_easeofexploitation":"1","cam_attackeraccessrequired":"20","cam_scorecurrent":"0.27","cam_scorecurrentwidelyknown":"0.3375","cam_scorecurrentwidelyknownexploited":"0.6075","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.27,"vulnote":null}