Re: SurfControl Bypass Vulnerability

[Ben Ford <bford () ERISKSECURITY COM>]

The idea of IP based penetration is also flawed, in that you'd get the
default domain of the box anyways.  Unless that default domain has an
index page to give you a choice of virtual hosts (and many/most don't),
you wouldn't be able to access the desired http://www.juicysex.com anyways.

-b


Dan Harkless wrote:

> Paul Cardon <paul () MOQUIJO COM> writes:
>
> > > Whatever software is doing that should be converting the "hostname"
> > > into something it can match.  A small amount of translation never
> > > goes astray.  When that is done, evrything is either a hostname or
> > > a dotted-quad string and life is much easier.
> >
> > Chris and I recommended to the vendors that everything be translated to
> > a canonical form before matching (32-bit unsigned ints in network byte
> > order are tremendously unambiguous).
>
>
> A URL containing an IP address is not canonical for HTTP.  HTTP 1.1 does
> virtual hosting via the "Host:" header, so multiple distinct servers can be
> on a single IP.  If you restrict based on IP, you'll block access to both
> http://www.juicysex.com/ and http://www.bible-history.org/, should they both
> be on the same box.
>
> ----------------------------------------------------------------------
> Dan Harkless                   | To prevent SPAM contamination, please
> dan-bugtraq () dilvish speed net  | do not mention this private email
> SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.