[15661] in bugtraq
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Thu Jul 6 15:06:58 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <06f301bfe73a$b13fc890$7428f2d4@cybercity.dk>
Date: Thu, 6 Jul 2000 13:09:41 +0200
Reply-To: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@EGOTRIP.DK>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@EGOTRIP.DK>
X-To: Kevin R Smith <Kevin.Smith@FIRSTDATACORP.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
has anyone tried the longip equivalent for the host? (for the few what dont
know longip, try //echo -a $longip(123.45.67.89) in mIRC ) ... its a rather
old spammer trick.. disguising the urls like http://43243234432/%43%76%32
Sincerely
Knud Erik Højgaard <knud@cybercity.dk>
Cybercity Support <support@cybercity.dk>
http://www.cybercity.dk/support/
----- Original Message -----
From: Kevin R Smith <Kevin.Smith@FIRSTDATACORP.CO.UK>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, July 05, 2000 1:23 PM
Subject: Novell BorderManager 3.0 EE - Encoded URL rule bypass
> I suspect that this has already been defined, but I cannot find any
reference to it.
>
> Setting secure areas on an intranet secured by URL rules within
bordermanager can be bypassed by changing some of the characters in the URL
with %-encoded triplets. To access http://home.myintranet.com/secure use
http://home.myintranet.com/s%45cure
>
> It doesn't work for characters in the main domain name, nut sub-folders
seem to work ok.
>
> I haven't seen any mention of this in any TIDs or service packs for BM, so
I assume the fault carries over into version 3.5?
>
>
> Regards,
> Kevin R Smith
