TUCoPS :: Unix :: General
:: border~2.txt
Novell BorderManager - bypass secure areas exploit
COMMAND
BorderManager
SYSTEMS AFFECTED
Novell BorderManager 3.0 EE
PROBLEM
Kevin R Smith found following. Setting secure areas on an
intranet secured by URL rules within bordermanager can be bypassed
by changing some of the characters in the URL with %-encoded
triplets. To access
http://home.myintranet.com/secure
use
http://home.myintranet.com/s%45cure
It doesn't work for characters in the main domain name, but
sub-folders seem to work ok.
The same flaw in Squid was discovered (and fixed -- by Henrik
Nordstrom) back in February 1999. Apache turned out to be immune
to this problem.
It should be noted that "end result" depends on server
implementation: some servers understand escaped punctuation such
as '/' or '~' but not letters.
Ted Behling added correction. %45 is a capital E, so that URL
would return a 404 if the intranet server is case sensitive. %65
would generate a lowercase e. You might want to re-test with the
proper case, as BM's filters may or may not be case sensitive.
SOLUTION
It is already working correctly in Novell ICS. Fix will be
issued out soon.
Site design & layout copyright © 1986-2025 AOH