Various problems in Baltimore MailSweeper Script filtering

From: edvice Security Services (supportat_private)
Date: Sat Sep 22 2001 - 08:45:32 PDT

  • Next message: Oracle Security Alerts: "Response to "Path disclosure vulnerability in Oracle 9i and 8i Application Server"" 

    Saturday 22 September 2001


Various problems in Baltimore MailSweeper Script filtering
===========================================================

Product Background
--------------------
MAILsweeper is a Content Security solution for the gateway that allows
businesses to implement policy for Internet e-mail.

Scope
------
edvice recently conducted a test of MailSweeper's ability to filter Scripts
from HTML e-mail. MailSweeper includes the option to detect and remove
JavaScript and VBScript from incoming HTML e-mail.

The Findings
-------------
Two vulnerabilities in MailSweeper allows an attacker to bypass restrictions
set by the product administrator and to introduce malicious code into the
organization.

Details
--------
1. MailSweeper does not intercept correctly HTML encoded characters that
replace the string "javascript" or "vbscript" within certain HTML tags. As a
result, it is possible to bypass MailSweeper's script filtering.

For example:

<A HREF="javascript:alert('This part should be filtered')">Click here</A>

Or:

<IMG SRC="javascript:alert('This part should be filtered')">

2. Similar problem to the one we reported on WebSweeper applies for
MailSweeper as well. The following crafted html code:

<<IMG SRC="javascript:alert('This part should be filtered')">

Will go undetected by MailSweeper.

Version Tested
---------------
Baltimore Technologies MailSweeper 4.2

Status
-------
Baltimore Technologies was notified on 21 August 2001.


Discovered by edvice on 15 August 2001.
http://www.edvicesecurity.com/vul30.htm
supportat_private

    This archive was generated by hypermail 2b30 : Sat Sep 22 2001 - 15:17:28 PDT