[NEWS] Various Problems in Baltimore's WEBsweeper Script Filtering
From: support@securiteam.comDate: 08/15/01
- Previous message: support@securiteam.com: "[NT] Sambar Telnet Proxy Multiple Vulnerabilities (DoS, Buffer Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Various Problems in Baltimore's WEBsweeper Script Filtering Message-Id: <20010815065219.4FC44138BF@mail.der-keiler.de> Date: Wed, 15 Aug 2001 08:52:19 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Various Problems in Baltimore's WEBsweeper Script Filtering
------------------------------------------------------------------------
SUMMARY
<http://www.mimesweeper.com/products/websweeper4/default.asp> WEBsweeper,
a product that enables customers to implement Content Security policies on
Web, HTTP and passive FTP transfers, has been found to contain a security
vulnerability that allows attackers to execute arbitrary JavaScript on
clients protected by WEBsweeper, bypassing the product's filtering
mechanism.
DETAILS
Vulnerable systems:
Baltimore Technologies WEBsweeper 4.02
WEBsweeper includes some design and implementation flaws that allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.
eDvice found three problems with WEBsweeper's Script filtering mechanism:
1) By adding an extra opening angled bracket before the SCRIPT tag, the
tag will be left unmodified by WEBsweeper. The browser however, will
execute the contained script. Example:
<<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
2) Similar problem to the one eDvice reported in
<http://www.securiteam.com/securitynews/5EP0W0A4AO.html> eSafe Gateway
Bypassing Using Extended Character Encoding, WEBsweeper appears to
manifest the same problem. The following designed HTML code:
<SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
Will be transformed by the WEBsweeper filter to yield the following
result:
<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>
3) WEBsweeper does not recognize and does not filter scripting tags
constructed using extended HTML notation.
ADDITIONAL INFORMATION
The information has been provided by <mailto:support@edvicesecurity.com>
eDvice Security Services.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Sambar Telnet Proxy Multiple Vulnerabilities (DoS, Buffer Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
