Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Various problems in Baltimore's WEBSweeper Script filtering

From: "eDvice Security Services" <support () edvicesecurity com>
Date: Sun, 12 Aug 2001 16:42:14 +0200
Sunday 12 August 2001
eDvice Security Services Advisory

Various problems in Baltimore's WEBSweeper Script filtering
===========================================================

Product Background
-------------------
WEBsweeper is Baltimore Technologies' Web Content Security solution. It
enables customers to implement Content Security policies on Web, HTTP and
passive FTP transfers.

Scope
------
eDvice recently conducted a test of WEBSweeper's ability to filter Scripts
at the gateway. WEBSweeper includes the ability to filter script from HTML
code.

The Findings
--------------
WEBSweeper includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.

Details
---------
We found three problems with WEBSweeper's Script filtering mechanism:

1) By adding an extra opening angled bracket before the SCRIPT tag, the tag
will be left unmodified by WEBSweeper. The browser however, will execute the
contained script. Example:

<<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

2) Similar problem to the one we reported in
http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html appears
with WEBSweeper as well. The following crafted html code:

<SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

will be transformed by the WEBsweeper filter to yield the following result:

<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

3) WEBSweeper does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.

Version Tested
---------------
Baltimore Technologies WEBSweeper 4.02

Status
-------
Baltimore Technologies was notified on 31 July 2001.

Discovered by eDvice on 30 July 2001.
http://www.edviceSecurity.com
support () edviceSecurity com
Previous By Date Next
Previous By Thread Next

Current thread: