[22221] in bugtraq
=?iso-8859-8-i?Q?Various_problems_in_Baltimore's_WEBSweeper_Script_filter?=
daemon@ATHENA.MIT.EDU (eDvice Security Services)
Sun Aug 12 13:24:23 2001
From: "eDvice Security Services" <support@edvicesecurity.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 12 Aug 2001 16:42:14 +0200
Message-ID: <LPBBLIBKGEPPINMKCMMJAEFCCHAA.support@edvicesecurity.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-8-i"
Content-Transfer-Encoding: 7bit
Sunday 12 August 2001
eDvice Security Services Advisory
Various problems in Baltimore's WEBSweeper Script filtering
===========================================================
Product Background
-------------------
WEBsweeper is Baltimore Technologies' Web Content Security solution. It
enables customers to implement Content Security policies on Web, HTTP and
passive FTP transfers.
Scope
------
eDvice recently conducted a test of WEBSweeper's ability to filter Scripts
at the gateway. WEBSweeper includes the ability to filter script from HTML
code.
The Findings
--------------
WEBSweeper includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.
Details
---------
We found three problems with WEBSweeper's Script filtering mechanism:
1) By adding an extra opening angled bracket before the SCRIPT tag, the tag
will be left unmodified by WEBSweeper. The browser however, will execute the
contained script. Example:
<<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
2) Similar problem to the one we reported in
http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html appears
with WEBSweeper as well. The following crafted html code:
<SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
will be transformed by the WEBsweeper filter to yield the following result:
<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
3) WEBSweeper does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.
Version Tested
---------------
Baltimore Technologies WEBSweeper 4.02
Status
-------
Baltimore Technologies was notified on 31 July 2001.
Discovered by eDvice on 30 July 2001.
http://www.edviceSecurity.com
support@edviceSecurity.com
