Bugtraq mailing list archives
Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass
From: UPRR_DSA () UP COM (Coward, Anonymous)
Date: Fri, 14 Jul 2000 14:06:17 -0600
to make a long story short, obscuring the domain name does not circumvent bordermanager. bordermanager will either not resolve the address and fail, or it will figure out the address and deny/allow based on its rules for bed time reading, read the remaining post for more detail... <paraphrase source=http://www.nwi.net/~pchelp/obscure.htm> URLs can be obscured at least three ways: 1. Meaningless or deceptive text can be added after "http://"; and before an "@" symbol. 2. The domain name can be expressed as an IP address in: a. dotted-decimal b. dword c. octal d. hexadecimal format e. variants 3. Characters appearing after the IP address can also be expressed as hexadecimal (base 16) numbers. </paraphrase> as results vary from browser to browser, i tested using both ie 5.0 and ns 4.08. for completeness, i tested urls as two different users: privileged and unprivileged. in addition, as previous posts have covered #3 well enough, i'll not bother with it here. *** results for privileged, trusted, can-go-anywhere user: 1.) blah () www totalsports net ns: DNS host name resolution failure ie: loaded the page 2.) a. 206.132.32.187 (duh!) ns: loaded page ie: loaded page add 256 to any/all segment in ip address - tried 462.132.32.187 ns: invalid DNS host ip address ie: invalid DNS host ip address b. 3464765627 ns: invalid DNS host ip address ie: invalid DNS host ip address c. 0316.0204.040.0273 ns: loaded page ie: loaded page d. 0xcd8420bb and 0xcd.0x84.0x20.0xbb ns: DNS Host name resolution failed ie: DNS Host name resolution failed e. combining failed formats with successful formats failed *** results for unprivileged joe user when www.totalsports.net is banned: NOTE: DNS failures from above results have been omitted for brevity 1.) blah () www totalsports net ie: denied access by bordermanager 2.) a. 206.132.32.187 ns: denied access by bordermanager ie: denied access by bordermanager c. 0316.0204.040.0273 ns: denied access by bordermanager ie: denied access by bordermanager el fin g. johnson - udsa () up com
Current thread:
- Novell BorderManager 3.0 EE - Encoded URL rule bypass Kevin R Smith (Jul 05)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Vitaly Fedrushkov (Jul 06)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Knud Erik Højgaard (Jul 06)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Henrik Nordstrom (Jul 10)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Michael R. Rudel (Jul 12)
- The MDMA Crew's GateKeeper Exploit wizdumb () MDMA ZA NET (Jul 13)
- Big Brother filename extension vulnerability xternal (Jul 11)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Henrik Nordstrom (Jul 10)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Ted Behling (Jul 06)
- <Possible follow-ups>
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Frank Berzau (Jul 06)
- Novell BorderManager 3.0 EE - Encoded URL rule bypass Steve Banks (Jul 14)
- Re: Novell BorderManager 3.0 EE - Encoded URL rule bypass Coward, Anonymous (Jul 14)