surfCONTROL SuperScout URL blocking can be easily bypassed
3 Feb. 2000
surfCONTROL's SuperScout enables control and management of your Internet Access using a rule engine that allows blocking of unwanted web sites. A web site category is provided with the product, and it is divided into categories, which can be enabled and disabled for browsing. A weakness in the product allows bypassing this URL checking mechanism by requesting a slightly different URL from what SuperScout expects.
SuperScout 3.0.2 and up
One of the product's main features is its ability to block a user from viewing a particular web site based on a classification database. Inside this database, web sites like www.playboy.com are categorized. Among the categories are: Adult, Gambling, Sports, etc. Rules can be implemented based on user, time and category (For example: Disallow Everyone to Adult sites at anytime throughout the day).
Using IE5 behind surfCONTROL, attempt to visit a restricted site (this will vary on the applied rules). Now add a '.' (Period) after the blocked URL; access is granted.
The web site/activity is logged by surfCONTROL, however the '.' bypasses the categorization. Within the logs, such a site will show with a category of "None".
To fix this problem, upgrade to the latest version, available from the surfCONTROL web site.