Re: SurfControl Bypass Vulnerability

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

Paul Cardon <paul () MOQUIJO COM> writes:
> > Whatever software is doing that should be converting the "hostname"
> > into something it can match.  A small amount of translation never
> > goes astray.  When that is done, evrything is either a hostname or
> > a dotted-quad string and life is much easier.
>
> Chris and I recommended to the vendors that everything be translated to
> a canonical form before matching (32-bit unsigned ints in network byte
> order are tremendously unambiguous).

A URL containing an IP address is not canonical for HTTP.  HTTP 1.1 does
virtual hosting via the "Host:" header, so multiple distinct servers can be
on a single IP.  If you restrict based on IP, you'll block access to both
http://www.juicysex.com/ and http://www.bible-history.org/, should they both
be on the same box.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.