Sunday 12 August 2001 eDvice Security Services Advisory Various problems in Baltimore's WEBSweeper Script filtering =========================================================== Product Background ------------------- WEBsweeper is Baltimore Technologies' Web Content Security solution. It enables customers to implement Content Security policies on Web, HTTP and passive FTP transfers. Scope ------ eDvice recently conducted a test of WEBSweeper's ability to filter Scripts at the gateway. WEBSweeper includes the ability to filter script from HTML code. The Findings -------------- WEBSweeper includes some design and implementation flaws, which allow an attacker to bypass restrictions set by the product administrator and introduce malicious code into an organization. Details --------- We found three problems with WEBSweeper's Script filtering mechanism: 1) By adding an extra opening angled bracket before the SCRIPT tag, the tag will be left unmodified by WEBSweeper. The browser however, will execute the contained script. Example: <<SCRIPT language="javascript"> alert("This should have been filtered"); </SCRIPT> 2) Similar problem to the one we reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html appears with WEBSweeper as well. The following crafted html code: <SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript"> alert("This should have been filtered"); </SCRIPT> will be transformed by the WEBsweeper filter to yield the following result: <SCRIPT language="javascript"> alert("This should have been filtered"); </SCRIPT> 3) WEBSweeper does not recognize and does not filter scripting tags constructed using extended Unicode notation. This is the same problem we reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html (see also http://www.securityfocus.com/bid/2801) for a different product. Version Tested --------------- Baltimore Technologies WEBSweeper 4.02 Status ------- Baltimore Technologies was notified on 31 July 2001. Discovered by eDvice on 30 July 2001. http://www.edviceSecurity.com supportat_private
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 09:52:48 PDT