____      ____     __    __
                     /    \    /    \   |  |  |  |
        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
                   |  |      |  |__|  | |  |  |  |
                   |  |  ___ |   __   | |  |  |  |
  ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
                     \____/  |__|  |__|  \______/
                                                                                                                                                                                
                    Computer Academic Underground
                        http://www.caughq.org
                          Security Advisory
                                                                                                                                                                                
===============/========================================================
Advisory ID:    CAU-1998-0002
Release Date:   1998.04.30
Title:          Cytlok - Site (URL) Access Control Subversion
Application/OS: Cytlok for Windows 95 (http://www.cytlok.com)
Topic:          It is trivial to subvert Cytlok's Port Access
Vendor Status:  Notified
Attributes:     Access Control Subversion
Advisory URL:   http://www.caughq.org/advisories/CAU-1998-0002.txt
Author/Email:   I)ruid (druid@caughq.org)
===============/========================================================

Problem
-------
Browser's may reach any un-authorized URL by going through another site
that provides this service.

Example
-------
Cytlok has the URL "www.microsoft.com" dissallowed, but <Default> is
  allowed.
By using <Default> permissions, user accesses
  http://anon.free.anonymizer.com/http://www.microsoft.com and the page
  comes through as normal.

Technical Explanation
---------------------
Services such as the anonymizer allow users to feed it's site a URL, which
they in turn access, then display the results of that URL to the user via
a page on their site, rather than the site requested itself.  A similar
subversion could be created for the Port Access control by having access
to a particular port on an allowed server, which then redirects via that
allowed port/server to an unallowed port/server.  This could easily be
done with a simple utility such as netcat.

Solution
--------
Current workarounds include using the default permissions of the <Default>
URL, and only allowing certain sites, however, I find this very
restrictive.

How To Exploit
--------------
All that is required is Site Access to a webserver that provides an
anonymizer type service.  Once you have access to that site, you can use
it to retrieve the un-authorized sites that you want to view by going to
the allowed site via your browser and using their service.  This
subversion assumes that your browser has network and port access required
to view the service providing website.