[19798] in bugtraq
Re: SurfControl Bypass Vulnerability
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Mar 23 05:25:38 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <200103222255.JAA15424@cairo.anu.edu.au>
Date: Fri, 23 Mar 2001 09:55:08 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
X-To: chris_stclair@HOTMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <F20yY0QUUBPcZi71mrv00008c2d@hotmail.com> from "Chris St. Clair"
at Mar 22, 2001 03:18:15 PM
In some mail from Chris St. Clair, sie said:
>
> Another way to bypass other URL filtering software is to convert
> the IP octets into hex using 0xnnn representation. I've been working
> with other vendors for a fix on this and will be posting a more
> detailed followup regarding the software I've been testing as soon
> as the various vendors provide fixes.
>
> As for an interim fix, it depends on the software and how flexible
> it is. Some will let you block certain regex's, some won't. If it
> does support regex's, the actual regex will depend on the different
> combinations you can use to represent the IP octets. For example,
> a combination of hex, octal, and regular decimal:
> 0xc0.168.000000001.1
>
> Coming up with an effective regex to match that might be tough.
See, that's the wrong approach to take, IMHO.
Whatever software is doing that should be converting the "hostname"
into something it can match. A small amount of translation never
goes astray. When that is done, evrything is either a hostname or
a dotted-quad string and life is much easier.
Darren
