Vulnerable Apps/Platforms: -So far, surfCONTROL SuperScout 2.6.1.6, Only version tested, with rules blocking based on web site category. Complete No Access rules still successfully block. -Possibly all previous versions. -This vulnerability voids the ability to block users based on category. -Discovered on NT Server 4.0 SP5 Non-Vulnerable Apps: -N/A Vulnerability: -Blocking Internet access based on surfCONTROL's categorization of a particular site. -Example: Rule - No Access to Adult sites Anytime -"www.playboy.com" successfully blocked. -"www.playboy.com." let right through the filter. -"www.penthouse.com" successfully blocked. -"www.penthouse.com." let right through the filter. Exploit: -One of the product's features is it's ability to block a user from viewing a particular web site based on a classification database. Inside this database, web sites like www.playboy.com are categorized. Among the categories are Adult, Gambling, Sports, etc. Rules can be implemented based on user, time, category (Example: Disallow Everyone to Adult sites at anytime throughout the day) -With IE5, behind surfCONTROL's rules, attempt to visit a restricted site (this will vary on the admin's rules.) -Add a "." (period) after the blocked URL. -Access is granted. -The web site/activity is logged by surfCONTROL, however the "." bypasses the categorization. Within the logs, such a site will show with a category of "None" Solution: -The vendor was notified of this hole on the 7th of January, 2000. Subsequent notifications were sent regarding the severity of this flaw. -No patch is available to date. References: -Unknown. I have briefly searched to see if this is old news, but discovered nothing. History: -surfCONTROL tech support was initially contacted with full details on this hole and how to duplicate the behavior on Jan 7, 2000. -No information regarding a patch release or status was ever volunteered until two follow-up e-mails were sent regarding the severity of this flaw and the timely manner to which it should be resolved. -I have received an e-mail stating a tentive date of Jan 31, 2000, for the availability of a downloadable patch from the website. Still nothing has been released.