[NEWS] Various Problems in Baltimore WEBSweeper URL Filtering (Additional characters, Replacement)
From: support@securiteam.comDate: 09/06/01
- Previous message: support@securiteam.com: "[UNIX] Inter7 VPopmail DB Password Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Various Problems in Baltimore WEBSweeper URL Filtering (Additional characters, Replacement) Message-Id: <20010906194729.1A3CE138C0@mail.der-keiler.de> Date: Thu, 6 Sep 2001 21:47:29 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Various Problems in Baltimore WEBSweeper URL Filtering (Additional
characters, Replacement)
------------------------------------------------------------------------
SUMMARY
<http://www.mimesweeper.com/products/websweeper4/default.asp> WEBSweeper
is Baltimore Technologies' Web Content Security solution. It enables
customers to implement Content Security policies on Web, HTTP and passive
FTP transfers. A security vulnerability in WEBsweeper allows attackers to
bypass restricted URLs.
DETAILS
Vulnerable systems:
Baltimore Technologies WEBsweeper version 4.02
WEBsweeper includes some design and implementation flaws, which allow an
attacker to easily bypass restrictions set by the product administrator.
This can be used by internal users to bypass WEBsweeper's restrictions and
by authorized web servers to redirect the user to unauthorized web
servers.
At least the following methods can be used to bypass the restricted URL:
http://example.com/restricted
The methods are:
1) http://example.com//restricted
2) http://example.com/blabla/../restricted
3) http://example.com/./restricted
4) http://example.com/r%65stricted
Vendor status:
Baltimore was notified on August 1 2001 and released the following
technote on September 4 2001:
<http://www.mimesweeper.com/support/technotes/notes/1043.asp>
http://www.mimesweeper.com/support/technotes/notes/1043.asp
Baltimore claims that it is not practical to use WEBsweeper to manage
blacklists. For those of you who intend to read Baltimore's technote,
please mind that some of the examples in the technote as well as in the
reference attached to the technote discuss obscuring URLs at the BROWSER
level. These examples are not supposed to work with Proxy servers and
Gateways such as WEBsweeper. These examples are usually being used by
spammers to obscure a URL displayed to users. They usually cannot be used
by users to bypass a Proxy or a Gateway URL filter (unless the filter
includes additional design and implementation flaws).
ADDITIONAL INFORMATION
The information has been provided by <mailto:support@edvicesecurity.com>
edvice Security Services.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Inter7 VPopmail DB Password Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
