[22714] in bugtraq
Various problems in Baltimore MailSweeper Script filtering
daemon@ATHENA.MIT.EDU (edvice Security Services)
Sat Sep 22 18:31:41 2001
From: "edvice Security Services" <support@edvicesecurity.com>
To: <bugtraq@securityfocus.com>
Date: Sat, 22 Sep 2001 17:45:32 +0200
Message-ID: <LPBBLIBKGEPPINMKCMMJAECNCIAA.support@edvicesecurity.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-8-i"
Content-Transfer-Encoding: 7bit
Saturday 22 September 2001
Various problems in Baltimore MailSweeper Script filtering
===========================================================
Product Background
--------------------
MAILsweeper is a Content Security solution for the gateway that allows
businesses to implement policy for Internet e-mail.
Scope
------
edvice recently conducted a test of MailSweeper's ability to filter Scripts
from HTML e-mail. MailSweeper includes the option to detect and remove
JavaScript and VBScript from incoming HTML e-mail.
The Findings
-------------
Two vulnerabilities in MailSweeper allows an attacker to bypass restrictions
set by the product administrator and to introduce malicious code into the
organization.
Details
--------
1. MailSweeper does not intercept correctly HTML encoded characters that
replace the string "javascript" or "vbscript" within certain HTML tags. As a
result, it is possible to bypass MailSweeper's script filtering.
For example:
<A HREF="javascript:alert('This part should be filtered')">Click here</A>
Or:
<IMG SRC="javascript:alert('This part should be filtered')">
2. Similar problem to the one we reported on WebSweeper applies for
MailSweeper as well. The following crafted html code:
<<IMG SRC="javascript:alert('This part should be filtered')">
Will go undetected by MailSweeper.
Version Tested
---------------
Baltimore Technologies MailSweeper 4.2
Status
-------
Baltimore Technologies was notified on 21 August 2001.
Discovered by edvice on 15 August 2001.
http://www.edvicesecurity.com/vul30.htm
support@edvicesecurity.com
