COMMAND

    BorderManager

SYSTEMS AFFECTED

    Novell BorderManager 3.0 EE

PROBLEM

    Kevin  R  Smith  found  following.   Setting  secure  areas  on an
    intranet secured by URL rules within bordermanager can be bypassed
    by  changing  some  of  the  characters  in the URL with %-encoded
    triplets.  To access

        http://home.myintranet.com/secure

    use

        http://home.myintranet.com/s%45cure

    It  doesn't  work  for  characters  in  the  main domain name, but
    sub-folders seem to work ok.

    The same  flaw in  Squid was  discovered (and  fixed --  by Henrik
    Nordstrom) back in February 1999.  Apache turned out to be  immune
    to this problem.

    It  should  be   noted  that  "end   result"  depends  on   server
    implementation: some servers  understand escaped punctuation  such
    as '/' or '~' but not letters.

    Ted Behling added  correction.  %45  is a capital  E, so that  URL
    would return a 404 if the intranet server is case sensitive.   %65
    would generate a lowercase e.  You might want to re-test with  the
    proper case, as BM's filters may or may not be case sensitive.

SOLUTION

    It  is  already  working  correctly  in  Novell  ICS.  Fix will be
    issued out soon.