OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eDvice Security Services (supportedvicesecurity.com)
Date: Mon Jul 09 2001 - 11:34:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Monday 9 July 2001

    eDvice Security Services Advisory - Various problems in Trend Micro
    AppletTrap URL filtering

    Product Background
    ------------------
    Trend Micro AppletTrap is a product for blocking malicious Java applets,
    malicious JavaScript and unsecured ActiveX controls at the gateway. The
    product includes an option for URL filtering.

    Scope
    -----
    eDvice recently conducted a test of AppletTrap's ability to filter URLs at
    the gateway. AppletTrap includes the ability to restrict access to selected
    URLs. It does not include the option to restrict access to all URLs except
    for selected URLs.

    The Findings
    ------------
    AppletTrap includes some design and implementation flaws, which allow an
    attacker to easily bypass restrictions set by the product administrator.
    This can be used by internal users to bypass AppletTrap's restrictions and
    by authorized web servers to redirect the user to unauthorized web servers.

    Details
    -------
    We found four problems with AppletTrap's URL filtering mechanism:

    1) Double slash: Restricted access to http://source.com/restricted could be
    bypassed by typing: http://source.com//restricted.

    2) URL encoding: The same restriction could also be bypassed by typing:
    http://source.com/r%65stricted

    3) Resolving IP addresses: The same restriction could be bypassed by typing
    the IP address of source.com instead of the domain name (the opposite
    scenario works as well. I.e. bypassing IP address restriction by using the
    domain name).

    4) Dot notation: Restricting access to a certain IP address (e.g.
    http://192.16.100.100) could be bypassed by typing: http://192.016.100.100
    or even http://00192.16.100.100

    Version Tested
    --------------
    AppletTrap 2.0

    Status
    ------
    Trend Micro was notified on 28 June 2001. The problem was escalated to their
    QA department on the same day. We haven't received any further information
    from Trend Micro.

    Solution
    --------
    Do not rely on Trend Micro AppletTrap for URL filtering until Trend Micro
    fixes the problems.

    Discovered by eDvice on 28 June 2001.
    http://www.edvicesecurity.com/vul26.htm
    supportedvicesecurity.com