mailing list archives
surfCONTROL SuperScout v220.127.116.11 flaw
From: civ () GBIS COM (Mike, C)
Date: Thu, 3 Feb 2000 05:28:32 -0000
-So far, surfCONTROL SuperScout 18.104.22.168, Only version
tested, with rules blocking based on web site category.
Complete No Access rules still successfully block.
-Possibly all previous versions.
-This vulnerability voids the ability to block users based
-Discovered on NT Server 4.0 SP5
-Blocking Internet access based on surfCONTROL's
categorization of a particular site.
-Example: Rule - No Access to Adult sites Anytime
-"www.playboy.com" successfully blocked.
-"www.playboy.com." let right through the filter.
-"www.penthouse.com" successfully blocked.
-"www.penthouse.com." let right through the filter.
-One of the product's features is it's ability to block a
user from viewing a particular web site based on a
classification database. Inside this database, web sites
like www.playboy.com are categorized. Among the categories
are Adult, Gambling, Sports, etc. Rules can be implemented
based on user, time, category (Example: Disallow Everyone
to Adult sites at anytime throughout the day)
-With IE5, behind surfCONTROL's rules, attempt to visit a
restricted site (this will vary on the admin's rules.)
-Add a "." (period) after the blocked URL.
-Access is granted.
-The web site/activity is logged by surfCONTROL, however
the "." bypasses the categorization. Within the logs, such
a site will show with a category of "None"
-The vendor was notified of this hole on the 7th of
January, 2000. Subsequent notifications were sent regarding
the severity of this flaw.
-No patch is available to date.
-Unknown. I have briefly searched to see if this is old
news, but discovered nothing.
-surfCONTROL tech support was initially contacted with full
details on this hole and how to duplicate the behavior on
Jan 7, 2000.
-No information regarding a patch release or status was
ever volunteered until two follow-up e-mails were sent
regarding the severity of this flaw and the timely manner
to which it should be resolved.
-I have received an e-mail stating a tentive date of Jan
31, 2000, for the availability of a downloadable patch from
the website. Still nothing has been released.