Various problems in Baltimore WebSweeper URL filtering

From: edvice Security Services (supportat_private)
Date: Wed Sep 05 2001 - 01:57:27 PDT

Next message: Chris Adams: "Re: pam limits drops privileges"

Previous message: secureat_private: "[CLA-2001:420] Conectiva Linux Security Announcement - mailman"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tuesday 4 September 2001

Various problems in Baltimore WebSweeper URL filtering
======================================================

Product Background
------------------
WEBSweeper is Baltimore Technologies' Web Content Security solution. It
enables customers to implement Content Security policies on Web, HTTP and
passive FTP transfers.

Scope
-----
edvice recently conducted a test of WebSweeper's ability to filter URLs at
the gateway. WebSweeper includes the ability to restrict access to selected
URLs.

The Findings
-------------
WebSweeper includes some design and implementation flaws, which allow an
attacker to easily bypass restrictions set by the product administrator.
This can be used by internal users to bypass WebSweeper's restrictions and
by authorized web servers to redirect the user to unauthorized web servers.

Details
--------
At least the following methods can be used to bypass the restricted URL:
http://source.com/restricted

The methods are:

1) http://source.com//restricted
2) http://source.com/blabla/../restricted
3) http://source.com/./restricted
4) http://source.com/r%65stricted

Version Tested
--------------
Baltimore Technologies WebSweeper 4.02

Status
-------
Baltimore was notified on August 1 2001 and released the following technote
on September 4 2001:
http://www.mimesweeper.com/support/technotes/notes/1043.asp
Baltimore claims that it is not practical to use WEBsweeper to manage
blacklists.
For those of you who intend to read Baltimore's technote, please mind that
some of the examples in the technote as well as in the reference attached to
the technote, discuss obscuring URLs at the BROWSER level. These examples
are not supposed to work with Proxy servers and Gateways such as WebSweeper.
These examples are usually being used by spammers to obscure a URL displayed
to users. They usually can't be used by users to bypass a Proxy or a Gateway
URL filter (unless the filter includes additional design and implementation
flaws).

edvice Security Services
http://www.edvicesecurity.com/vul29.htm
supportat_private

Next message: Chris Adams: "Re: pam limits drops privileges"
Previous message: secureat_private: "[CLA-2001:420] Conectiva Linux Security Announcement - mailman"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 21:25:54 PDT