Various problems in Baltimore's WEBSweeper Script filtering

From: eDvice Security Services (supportat_private)
Date: Sun Aug 12 2001 - 07:42:14 PDT

Next message: zen-parse: "Local exploit for TrollFTPD-1.26"

Previous message: Karsten M. Self: "Re: Xerox N40 printers and Code Red worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sunday 12 August 2001
eDvice Security Services Advisory

Various problems in Baltimore's WEBSweeper Script filtering
===========================================================

Product Background
-------------------
WEBsweeper is Baltimore Technologies' Web Content Security solution. It
enables customers to implement Content Security policies on Web, HTTP and
passive FTP transfers.

Scope
------
eDvice recently conducted a test of WEBSweeper's ability to filter Scripts
at the gateway. WEBSweeper includes the ability to filter script from HTML
code.

The Findings
--------------
WEBSweeper includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.

Details
---------
We found three problems with WEBSweeper's Script filtering mechanism:

1) By adding an extra opening angled bracket before the SCRIPT tag, the tag
will be left unmodified by WEBSweeper. The browser however, will execute the
contained script. Example:

<<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

2) Similar problem to the one we reported in
http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html appears
with WEBSweeper as well. The following crafted html code:

<SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

will be transformed by the WEBsweeper filter to yield the following result:

<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

3) WEBSweeper does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.

Version Tested
---------------
Baltimore Technologies WEBSweeper 4.02

Status
-------
Baltimore Technologies was notified on 31 July 2001.

Discovered by eDvice on 30 July 2001.
http://www.edviceSecurity.com
supportat_private

Next message: zen-parse: "Local exploit for TrollFTPD-1.26"
Previous message: Karsten M. Self: "Re: Xerox N40 printers and Code Red worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 09:52:48 PDT