[NEWS] Various Problems in Baltimore MAILsweeper Script Filtering
From: support@securiteam.comDate: 09/29/01
- Previous message: support@securiteam.com: "[UNIX] OpenSSH IP Restriction Bypass (adv.option, Patch Available)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NEWS] Various Problems in Baltimore MAILsweeper Script Filtering Message-Id: <20010929132455.0CF5D138BF@mail.der-keiler.de> Date: Sat, 29 Sep 2001 15:24:55 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Various Problems in Baltimore MAILsweeper Script Filtering
------------------------------------------------------------------------
SUMMARY
<http://www.mimesweeper.com/products/mailsweepersmtp/default.asp>
MAILsweeper is a Content Security solution for the gateway that allows
businesses to implement policy for Internet e-mail.
Security vulnerabilities in MAILsweeper allow an attacker to bypass
restrictions set by the product administrator and to introduce malicious
code into the organization.
DETAILS
Vulnerable systems:
Baltimore Technologies MAILsweeper version 4.2
edvice recently conducted a test of MAILsweeper's ability to filter
Scripts from HTML e-mail. MAILsweeper includes the option to detect and
remove JavaScript and VBScript from incoming HTML e-mail.
The Findings
Two vulnerabilities in MAILsweeper allow an attacker to bypass
restrictions set by the product administrator and to introduce malicious
code into the organization.
1. MAILsweeper does not intercept correctly HTML encoded characters that
replace the string "javascript" or "vbscript" within certain HTML tags. As
a result, it is possible to bypass MAILsweeper's script filtering.
For example:
<A HREF="javascript:alert('This part should be filtered')">Click
here</A>
Or:
<IMG SRC="javascript:alert('This part should be filtered')">
2. Similar problem to the one edvice reported on WEBsweeper applies for
MAILsweeper as well. The following constructed html code:
<<IMG SRC="javascript:alert('This part should be filtered')">
Will go undetected by MAILsweeper.
ADDITIONAL INFORMATION
The information has been provided by <mailto:support@edvicesecurity.com>
edvice Security Services.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] OpenSSH IP Restriction Bypass (adv.option, Patch Available)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
