Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: border~2.txt

Novell BorderManager - bypass secure areas exploit




COMMAND

    BorderManager

SYSTEMS AFFECTED

    Novell BorderManager 3.0 EE

PROBLEM

    Kevin  R  Smith  found  following.   Setting  secure  areas  on an
    intranet secured by URL rules within bordermanager can be bypassed
    by  changing  some  of  the  characters  in the URL with %-encoded
    triplets.  To access

        http://home.myintranet.com/secure

    use

        http://home.myintranet.com/s%45cure

    It  doesn't  work  for  characters  in  the  main domain name, but
    sub-folders seem to work ok.

    The same  flaw in  Squid was  discovered (and  fixed --  by Henrik
    Nordstrom) back in February 1999.  Apache turned out to be  immune
    to this problem.

    It  should  be   noted  that  "end   result"  depends  on   server
    implementation: some servers  understand escaped punctuation  such
    as '/' or '~' but not letters.

    Ted Behling added  correction.  %45  is a capital  E, so that  URL
    would return a 404 if the intranet server is case sensitive.   %65
    would generate a lowercase e.  You might want to re-test with  the
    proper case, as BM's filters may or may not be case sensitive.

SOLUTION

    It  is  already  working  correctly  in  Novell  ICS.  Fix will be
    issued out soon.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH