COMMAND

    SuperScout

SYSTEMS AFFECTED

    surfCONTROL SuperScout v2.6.1.6 flaw

PROBLEM

    Mike  Civ  found  following  (tested   on  NT  Server  4.0   SP5).
    Vulnerability:

        -Blocking Internet access based on surfCONTROL's categorization of a particular site.
        -Example: Rule - No Access to Adult sites Anytime
          -"www.playboy.com" successfully blocked.
          -"www.playboy.com." let right through the filter.
          -"www.penthouse.com" successfully blocked.
          -"www.penthouse.com." let right through the filter.

    One of  the product's  features is  it's ability  to block  a user
    from  viewing  a  particular  web  site  based on a classification
    database.   Inside this  database, web  sites like www.playboy.com
    are  categorized.   Among  the  categories  are  Adult,  Gambling,
    Sports,  etc.   Rules  can  be  implemented  based  on user, time,
    category (Example:   Disallow Everyone to  Adult sites at  anytime
    throughout the day).

    With  IE5,  behind  surfCONTROL's   rules,  attempt  to  visit   a
    restricted site (this will vary on the admin's rules.)  Add a  "."
    (period)  after  the  blocked  URL.   Access  is granted.  The web
    site/activity is logged by  surfCONTROL, however the "."  bypasses
    the categorization.  Within the  logs, such a site will  show with
    a category of "None".

SOLUTION

    No patch is available to date, but in plans.