Monday 9 July 2001 eDvice Security Services Advisory - Various problems in Trend Micro AppletTrap URL filtering Product Background ------------------ Trend Micro AppletTrap is a product for blocking malicious Java applets, malicious JavaScript and unsecured ActiveX controls at the gateway. The product includes an option for URL filtering. Scope ----- eDvice recently conducted a test of AppletTrap's ability to filter URLs at the gateway. AppletTrap includes the ability to restrict access to selected URLs. It does not include the option to restrict access to all URLs except for selected URLs. The Findings ------------ AppletTrap includes some design and implementation flaws, which allow an attacker to easily bypass restrictions set by the product administrator. This can be used by internal users to bypass AppletTrap's restrictions and by authorized web servers to redirect the user to unauthorized web servers. Details ------- We found four problems with AppletTrap's URL filtering mechanism: 1) Double slash: Restricted access to http://source.com/restricted could be bypassed by typing: http://source.com//restricted. 2) URL encoding: The same restriction could also be bypassed by typing: http://source.com/r%65stricted 3) Resolving IP addresses: The same restriction could be bypassed by typing the IP address of source.com instead of the domain name (the opposite scenario works as well. I.e. bypassing IP address restriction by using the domain name). 4) Dot notation: Restricting access to a certain IP address (e.g. http://192.16.100.100) could be bypassed by typing: http://192.016.100.100 or even http://00192.16.100.100 Version Tested -------------- AppletTrap 2.0 Status ------ Trend Micro was notified on 28 June 2001. The problem was escalated to their QA department on the same day. We haven't received any further information from Trend Micro. Solution -------- Do not rely on Trend Micro AppletTrap for URL filtering until Trend Micro fixes the problems. Discovered by eDvice on 28 June 2001. http://www.edvicesecurity.com/vul26.htm supportat_private
This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 09:10:04 PDT