Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass

From: kain () EGOTRIP DK (Knud Erik Højgaard)
Date: Thu, 6 Jul 2000 13:09:41 +0200

has anyone tried the longip equivalent for the host? (for the few what dont
know longip, try //echo -a $longip(123.45.67.89) in mIRC ) ... its a rather
old spammer trick.. disguising the urls like http://43243234432/%43%76%32

Sincerely

Knud Erik Højgaard <knud () cybercity dk>
Cybercity Support    <support () cybercity dk>

http://www.cybercity.dk/support/

----- Original Message -----
From: Kevin R Smith <Kevin.Smith () FIRSTDATACORP CO UK>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, July 05, 2000 1:23 PM
Subject: Novell BorderManager 3.0 EE - Encoded URL rule bypass


I suspect that this has already been defined, but I cannot find any

reference to it.


Setting secure areas on an intranet secured by URL rules within

bordermanager can be bypassed by changing some of the characters in the URL
with %-encoded triplets.  To access http://home.myintranet.com/secure use
http://home.myintranet.com/s%45cure


It doesn't work for characters in the main domain name, nut sub-folders

seem to work ok.


I haven't seen any mention of this in any TIDs or service packs for BM, so

I assume the fault carries over into version 3.5?



Regards,
Kevin R Smith
Previous By Date Next
Previous By Thread Next

Current thread: