Bugtraq mailing list archives
Re: SurfControl Bypass Vulnerability
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 26 Mar 2001 12:14:35 -0700
On Fri, 23 Mar 2001, Dan Harkless wrote:
A URL containing an IP address is not canonical for HTTP. HTTP 1.1 does virtual hosting via the "Host:" header, so multiple distinct servers can be on a single IP. If you restrict based on IP, you'll block access to both http://www.juicysex.com/ and http://www.bible-history.org/, should they both be on the same box.
Quite true. However, one or none of the sites has the be the default for
requests where the site isn't specified. So, if the default is juicysex,
then the IP address can be blocked. If it's bible history, then you
don't. The bypass only "works" if the restricted site is the default.
Ryan
Current thread:
- Re: SurfControl Bypass Vulnerability, (continued)
- Re: SurfControl Bypass Vulnerability skelly (Mar 22)
- Re: SurfControl Bypass Vulnerability Don Weber (Mar 22)
- Re: SurfControl Bypass Vulnerability Witter, Franklin (Mar 22)
- Re: SurfControl Bypass Vulnerability Chris St. Clair (Mar 22)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)
- Re: SurfControl Bypass Vulnerability Paul Cardon (Mar 23)
- Re: SurfControl Bypass Vulnerability Dan Harkless (Mar 25)
- Re: SurfControl Bypass Vulnerability Ben Ford (Mar 26)
- Re: SurfControl Bypass Vulnerability Valdis Kletnieks (Mar 26)
- Re: SurfControl Bypass Vulnerability c0ncept (Mar 26)
- Re: SurfControl Bypass Vulnerability Ryan Russell (Mar 26)
- Re: SurfControl Bypass Vulnerability Darren Reed (Mar 23)