OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: edvice Security Services (supportedvicesecurity.com)
Date: Wed Sep 05 2001 - 03:57:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Tuesday 4 September 2001

    Various problems in Baltimore WebSweeper URL filtering
    ======================================================

    Product Background
    ------------------
    WEBSweeper is Baltimore Technologies' Web Content Security solution. It
    enables customers to implement Content Security policies on Web, HTTP and
    passive FTP transfers.

    Scope
    -----
    edvice recently conducted a test of WebSweeper's ability to filter URLs at
    the gateway. WebSweeper includes the ability to restrict access to selected
    URLs.

    The Findings
    -------------
    WebSweeper includes some design and implementation flaws, which allow an
    attacker to easily bypass restrictions set by the product administrator.
    This can be used by internal users to bypass WebSweeper's restrictions and
    by authorized web servers to redirect the user to unauthorized web servers.

    Details
    --------
    At least the following methods can be used to bypass the restricted URL:
    http://source.com/restricted

    The methods are:

    1) http://source.com//restricted
    2) http://source.com/blabla/../restricted
    3) http://source.com/./restricted
    4) http://source.com/r%65stricted

    Version Tested
    --------------
    Baltimore Technologies WebSweeper 4.02

    Status
    -------
    Baltimore was notified on August 1 2001 and released the following technote
    on September 4 2001:
    http://www.mimesweeper.com/support/technotes/notes/1043.asp
    Baltimore claims that it is not practical to use WEBsweeper to manage
    blacklists.
    For those of you who intend to read Baltimore's technote, please mind that
    some of the examples in the technote as well as in the reference attached to
    the technote, discuss obscuring URLs at the BROWSER level. These examples
    are not supposed to work with Proxy servers and Gateways such as WebSweeper.
    These examples are usually being used by spammers to obscure a URL displayed
    to users. They usually can't be used by users to bypass a Proxy or a Gateway
    URL filter (unless the filter includes additional design and implementation
    flaws).

    edvice Security Services
    http://www.edvicesecurity.com/vul29.htm
    supportedviceSecurity.com