That weakness would exist in any product that filters by domain name, because many of them will not perform a reverse DNS lookup. This would be the behavior of most home products (such as Cyberpatrol) which allow an administrator to specify forbidden domains, but if I wanted to see the site bad enough I would just ping/tracert/etc to get the IP address. In most cases the filter will not capture the IP address because all the admin knew to enter was the domain name. SonicWall could (and should) resolve this by adding Reverse DNS lookup to the Forbidden Domains list. That would possibly slow down Internet traffic on the LAN side but the admin could disable it if they wish. Also if the reverse DNS fails it could give the admin the option to block the site or allow it anyway. Brian J. Gaia Print Shop & Information Systems Assistant Webmaster, Pure and Undefiled Religion (PURE) Church of the Open Door -----Original Message----- From: Marc Ruef [mailto:marc.ruef@computec.ch] Sent: Tuesday, October 29, 2002 2:36 PM To: bugtraq@securityfocus.com; news@securiteam.com Subject: Bypassing website filter in SonicWall Hi! I found a little weakness in SonicWall: I turn on the blocking mechanism for websites (e.g. www.google.com). Now I can't reach the website using the domainname. But if I choose the IP address of the host (e.g. http://216.239.53.101/), I can contact the forbidden website. The same issue I've discovered for NetGear FM114P in http://online.securityfocus.com/bid/5667 It would make sense if you can do an internal nslookup. Otherwise the user can do a workaround and adding always the ip address(es) of the blocked websites. But this can cause some problems if there were some virtual hostings. A smart attacker can use some dottless-ips to bypass the new workaround IP filter. The box will sadly loose performance because of the additional filter line(s). My description was sent on 02/10/15 to info@sonicwall.com - No response came back. The blocking URL message style and problem reminds my the website blocking mechanism by NetGears FM114P. It could be that both use the same mechanism (by a 3rd party?). So, if the bug is fixed for one box the other will also be fixed - I think so. Bye, Marc -- Computer, Technik und Security http://www.computec.ch
