A long time ago, I worked for WebTV. The part of WebTV doing filtering for parental control was comparing IP addresses as strings. I managed to evade the parental controls when I noticed that the IP address parser was using an atoi that treated leading 0’s as octal and leading 0x’s as hex. By converting the octets of one of the blocked IP addresses into octal, I tricked the blacklist checker into letting me access the naughty bits.
(It was another time when it made sense to be blocking by IP address at all. But this was 1996, so, it was by definition another time.)
Today while reading some source code at work, I noticed that Cisco IOS accepts IP addresses of the form (int(0-255), dot) * 4. Which is correct, except that (probably later) someone defined int(0-255) as “zero or one plus character, followed by digits 0-9 one or more times”. Which means that IOS thinks “10.+20.30.40” is a valid IP address.
Whacky.
Leave a Reply