SiteKiosk v4.x and 5.x contain vulnerabilities which allow users to bypass URL restrictions and/or browse for free because the software fails to check if the supplied URL contains a wildcard DNS entry.
47dff8e13deba387ab3498641097b00700a232599411910947ded0a5dd09786b
TITLE:
SiteKiosk Base URL Restriction Bypass
SECUNIA ADVISORY ID:
SA10071
VERIFY ADVISORY:
http://www.secunia.com/advisories/10071/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
Local system
SOFTWARE:
SiteKiosk 5.x
SiteKiosk 4.x
DESCRIPTION:
A vulnerability has been reported in SiteKiosk allowing malicious
users to bypass URL restrictions.
SiteKiosk restricts or allows access to sites based upon strings
matching allowed or restricted URLs. However, SiteKiosk fails to
detect if this string is part of another domain (e.g. a domain with a
wild card DNS entry).
This can be exploited to surf at a lower rate or surf free-of-charge
by using a web proxy from a domain with a wild card DNS entry.
The vulnerability has been reported to affect all versions.
SOLUTION:
Implement a firewall and restrict access based on IP addresses.
REPORTED BY / CREDITS:
Zrekam
----------------------------------------------------------------------
Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Contact details:
Web : http://www.secunia.com/
E-mail : support@secunia.com
Tel : +45 7020 5144
Fax : +45 7020 5145
----------------------------------------------------------------------