Re: SurfControl Bypass Vulnerability

[Paul Cardon <paul () MOQUIJO COM>]

Darren Reed wrote:
> In some mail from Chris St. Clair, sie said:
> > As for an interim fix, it depends on the software and how flexible
> > it is. Some will let you block certain regex's, some won't. If it
> > does support regex's, the actual regex will depend on the different
> > combinations you can use to represent the IP octets. For example,
> > a combination of hex, octal, and regular decimal:
> > 0xc0.168.000000001.1
> >
> > Coming up with an effective regex to match that might be tough.
>
> See, that's the wrong approach to take, IMHO.

Agreed.

> Whatever software is doing that should be converting the "hostname"
> into something it can match.  A small amount of translation never
> goes astray.  When that is done, evrything is either a hostname or
> a dotted-quad string and life is much easier.

Chris and I recommended to the vendors that everything be translated to
a canonical form before matching (32-bit unsigned ints in network byte
order are tremendously unambiguous).  However, the only mechanism many
of them have available in the meantime is regex matching of varying
sophistication.  Uggh.  :^p

-paul