[15657] in bugtraq
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
daemon@ATHENA.MIT.EDU (Frank Berzau)
Thu Jul 6 14:22:12 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Message-Id: <s964b5eb.025@cpl-mail1.cpl.novell.com>
Date: Thu, 6 Jul 2000 16:37:35 +0200
Reply-To: Frank Berzau <fberzau@NOVELL.COM>
From: Frank Berzau <fberzau@NOVELL.COM>
X-To: Kevin.Smith@FIRSTDATACORP.CO.UK
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Hi Kevin,
We have reproduced this easily on BorderManager 3.5 as well, so we need to go and fix this asap. We'll be sending an udpate once a fix is available.
It is already working correctly in Novell ICS.
Regards,
Frank Berzau
Advanced Development Group
Novell, Inc.
>>> Kevin R Smith <Kevin.Smith@FIRSTDATACORP.CO.UK> 05.07.00 13.23 >>>
I suspect that this has already been defined, but I cannot find any reference to it.
Setting secure areas on an intranet secured by URL rules within bordermanager can be bypassed by changing some of the characters in the URL with %-encoded triplets. To access http://home.myintranet.com/secure use http://home.myintranet.com/s%45cure
It doesn't work for characters in the main domain name, nut sub-folders seem to work ok.
I haven't seen any mention of this in any TIDs or service packs for BM, so I assume the fault carries over into version 3.5?
Regards,
Kevin R Smith
