OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eDvice Security Services (supportedvicetech.com)
Date: Tue May 29 2001 - 16:42:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    29 May 2001

    This is the second of 3 sequential advisories we are issuing regarding
    Aladdin eSafe Gateway.

    Product Background
    ---------------------------
    eSafe Gateway is an Internet Content Security product.

    You can configure eSafe Gateway to remove scripts (VBScripts, JavaScripts)
    and other executable tags from incoming HTML documents. Alternatively, the
    administrator can ban certain scripting commands from appearing inside
    scripts. The banned commands will be removed, while the rest of the HTML
    page is left intact.

    Scope
    ---------
    eDvice recently conducted a test of eSafe's ability to remove scripts from
    HTML documents. Although scripts are widely used by many web-sites, some
    organizations requesting to allow only limited use of Internet access from
    their internal network, prefer to disable scripting capabilities in order to
    avoid various known, as well as yet to be found, browser-based attacks.

    The Findings
    ------------------
    eSafe ignores scripting language commands embedded inside HTML tags. This
    allows an attacker to bypass eSafe's script filtering mechanism.

    Details
    ----------
    HTML specification allows embedding of scripting language commands in
    various tags, such as <BODY>, <BUTTON>, <INPUT> and so on. The scripting
    commands can be included as an attribute of the tag, and executed under
    various conditions. For example, commands included within the ONLOAD
    attribute of the <BODY> tag are automatically executed when the page is
    loaded into the browser.
    eSafe completely ignores such scripting commands, allowing an attacker to
    bypass its script filtering mechanism and introducing malicious code into an
    organization. For example, the following potentially harmful script will go
    undetected by eSafe, even if the "remove all scripts" option is enabled:

    <A HREF="javascript:var fso = new
    ActiveXObject('Scripting.FileSystemObject');var a =
    fso.CreateTextFile('c:\\testfile2.txt', true);a.WriteLine('This is a
    test.');a.Close();">Click here</A>

    HREF is not the only tag ignored. Any tag capable of containing scripting
    command will not be filtered by eSafe. For example:

    <BODY onload="alert('hi');">

    Status
    --------
    The entire content of this advisory was reviewed and acknowledged by
    Aladdin.
    Aladdin was informed on May 22 2001.
    Aladdin claims that this issue is mentioned in the product's Release Notes.
    We have downloaded the Release Notes from Aladdin's web site a month ago and
    then again today.
    We found no evidence to support this claim.
    We called Aladdin today and asked them to send us the Release Notes.
    Aladdin sent us a version of the Release Notes that regard this issue.
    The release Notes (a pdf file) was produced today - 29 May 2001.

    Conclusion
    ---------------
    We find eSafe's "remove all scripts" feature has a fundamental flaw.
    Organizations that wish to disable scripting altogether, are trying to
    prevent hostile sites from using scripts to penetrate their systems. These
    hostile sites can easily bypass eSafe by adding the code to an href tag or
    any other tag. Even worse is the false sense of security given by Aladdin's
    claim that all scripts are removed from the HTML files.

    ====================
    Discovered by:
    eDvice Security Services
    supportedvicetech.com
    http://www.edvicetech.com
    Tel: +972-3-6120133
    Fax: +972-3-6954837