[15667] in bugtraq
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
daemon@ATHENA.MIT.EDU (Ted Behling)
Thu Jul 6 16:13:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.6.32.20000706123130.007e6650@monis.net>
Date: Thu, 6 Jul 2000 12:31:30 -0400
Reply-To: Ted Behling <tbehling@MONARCHIS.NET>
From: Ted Behling <tbehling@MONARCHIS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <s96328d2.051@mail.firstdatacorp.co.uk>
At 12:23 PM 07/05/2000 +0100, Kevin R Smith wrote:
>I suspect that this has already been defined, but I cannot find any
reference to it.
>
>Setting secure areas on an intranet secured by URL rules within
bordermanager can be bypassed by changing some of the characters in the URL
with %-encoded triplets. To access http://home.myintranet.com/secure use
http://home.myintranet.com/s%45cure
Thanks for the post. To add to your great work, I have a slight
correction. %45 is a capital E, so that URL would return a 404 if the
intranet server is case sensitive. %65 would generate a lowercase e. You
might want to re-test with the proper case, as BM's filters may or may not
be case sensitive.
--------------------------------------------
Ted Behling, E-Commerce Consultant
Monarch Information Systems
43 Folly Field Road, Unit 4
Hilton Head Island, SC 29928-5434
mailto:tbehling@monarchis.net
http://www.monarchis.net
Toll-free Phone & Fax: 1-800-842-7894
Local or Outside the USA: 1-843-842-7894
--------------------------------------------
