QwikSec

Security Database

CVE

CWE

Training

CVE-2012-3501

Published: Aug 25, 2012

Modified: Sep 16, 2024

PUBLISHED

Description

The squidclamav_check_preview_handler function in squidclamav.c in SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a system command call, which allows remote attackers to cause a denial of service (daemon crash) via a URL with certain characters, as demonstrated using %0D or %0A.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://squidclamav.darold.net/news.html

x_refsource_CONFIRM

[oss-security] 20120816 Re: CVE Request: SquidClamav insufficient escaping flaws

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_OSVDB

https://bugs.gentoo.org/show_bug.cgi?id=428778

x_refsource_MISC

https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00

x_refsource_CONFIRM

[oss-security] 20120816 CVE Request: SquidClamav insufficient escaping flaws

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_BID

third-party-advisory

x_refsource_SECUNIA

http://freecode.com/projects/squidclamav/releases/346722

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.