Various problems in Baltimore's WEBSweeper Script filtering

From: eDvice Security Services (support@edvicesecurity.com)
Date: 08/12/01 

From: "eDvice Security Services" <support@edvicesecurity.com>
To: <bugtraq@securityfocus.com>
Subject: Various problems in Baltimore's WEBSweeper Script filtering
Date: Sun, 12 Aug 2001 16:42:14 +0200
Message-ID: <LPBBLIBKGEPPINMKCMMJAEFCCHAA.support@edvicesecurity.com>

Sunday 12 August 2001
eDvice Security Services Advisory

Various problems in Baltimore's WEBSweeper Script filtering
===========================================================

Product Background
-------------------
WEBsweeper is Baltimore Technologies' Web Content Security solution. It
enables customers to implement Content Security policies on Web, HTTP and
passive FTP transfers.

Scope
------
eDvice recently conducted a test of WEBSweeper's ability to filter Scripts
at the gateway. WEBSweeper includes the ability to filter script from HTML
code.

The Findings
--------------
WEBSweeper includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.

Details
---------
We found three problems with WEBSweeper's Script filtering mechanism:

1) By adding an extra opening angled bracket before the SCRIPT tag, the tag
will be left unmodified by WEBSweeper. The browser however, will execute the
contained script. Example:

<<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

2) Similar problem to the one we reported in
http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html appears
with WEBSweeper as well. The following crafted html code:

<SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

will be transformed by the WEBsweeper filter to yield the following result:

<SCRIPT language="javascript">
alert("This should have been filtered");
</SCRIPT>

3) WEBSweeper does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.

Version Tested
---------------
Baltimore Technologies WEBSweeper 4.02

Status
-------
Baltimore Technologies was notified on 31 July 2001.

Discovered by eDvice on 30 July 2001.
http://www.edviceSecurity.com
support@edviceSecurity.com

Relevant Pages

  • [NEWS] Various Problems in Baltimores WEBsweeper Script Filtering
    ... Various Problems in Baltimore's WEBsweeper Script Filtering ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ...
    (Securiteam)
  • Re: nur Gruppen aus AD lesen
    ... nicht die korrekte Bezeichnung für den Filter (habe ich auch leider nicht ... Gelöst habe ich das mittels LDAP-Abfrage, subtree und Filter ... Namen der Security Group geholt. ... Aktionen, nur hier bin ich ein Script am basteln, was periodisch und ohne ...
    (microsoft.public.de.german.scripting.wsh)
  • Re: Move computers account to another OU from a txt list
    ... I need a script, that list from OU or txt file, that contains machine ... user objects by changing the ADO filter in the loop. ... ' Change the base of the query to a specific OU. ... ' Filter on all user objects. ...
    (microsoft.public.windows.server.scripting)
  • Re: problem using -f file operator
    ... Hi, sorry for the missing information it is my first post here, ... -file: Set the filter file. ... when the script is executed $item contains a full path to ... CONFIG GEN SELECTORS SECTION ...
    (perl.beginners)
  • Re: Filtering certain message from expect internal buffer
    ... >>Does anybody know how I can implement a filter that will take certain ... > There's no way to write back to Expect's internal buffer. ... add all kinds of special handling throughout the rest of the script. ... My guess is he is expecting directly on the console & syslog type ...
    (comp.lang.tcl)