[19862] in bugtraq
Re: SurfControl Bypass Vulnerability
daemon@ATHENA.MIT.EDU (Ryan Russell)
Tue Mar 27 04:05:05 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.30.0103261210140.17682-100000@mail>
Date: Mon, 26 Mar 2001 12:14:35 -0700
Reply-To: Ryan Russell <ryan@SECURITYFOCUS.COM>
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
X-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200103240020.QAA12638@dilvish.speed.net>
On Fri, 23 Mar 2001, Dan Harkless wrote:
> A URL containing an IP address is not canonical for HTTP. HTTP 1.1 does
> virtual hosting via the "Host:" header, so multiple distinct servers can be
> on a single IP. If you restrict based on IP, you'll block access to both
> http://www.juicysex.com/ and http://www.bible-history.org/, should they both
> be on the same box.
Quite true. However, one or none of the sites has the be the default for
requests where the site isn't specified. So, if the default is juicysex,
then the IP address can be blocked. If it's bible history, then you
don't. The bypass only "works" if the restricted site is the default.
Ryan
