COMMAND

    AppletTrap

SYSTEMS AFFECTED

    Trend Micro AppletTrap 2.0

PROBLEM

    Following is based on a eDvice Security Services Advisory.   Trend
    Micro  AppletTrap  is  a  product  for  blocking  malicious   Java
    applets, malicious  JavaScript and  unsecured ActiveX  controls at
    the gateway.  The product includes an option for URL filtering.

    eDvice  recently  conducted  a  test  of  AppletTrap's  ability to
    filter URLs at  the gateway.   AppletTrap includes the  ability to
    restrict access to selected URLs.  It does not include the  option
    to restrict access to all URLs except for selected URLs.

    AppletTrap includes  some design  and implementation  flaws, which
    allow  an  attacker  to  easily  bypass  restrictions  set  by the
    product administrator.   This can  be used  by internal  users  to
    bypass AppletTrap's restrictions and by authorized web servers  to
    redirect the user to unauthorized web servers.

    eDvice  found  four  problems  with  AppletTrap's  URL   filtering
    mechanism:

    1) Double slash:
        Restricted  access  to  http://source.com/restricted  could be
        bypassed by typing:  http://source.com//restricted.
    2) URL encoding:
        The  same  restriction  could  also  be  bypassed  by  typing:
        http://source.com/r%65stricted
    3) Resolving IP addresses:
        The  same  restriction  could  be  bypassed  by  typing the IP
        address  of  source.com  instead  of  the  domain  name   (the
        opposite scenario  works as  well. I.e.  bypassing IP  address
        restriction by using the domain name).

    4) Dot notation:
        Restricting   access   to   a   certain   IP   address   (e.g.
        http://192.16.100.100)   could   be   bypassed   by    typing:
        http://192.016.100.100 or even http://00192.16.100.100

SOLUTION

    Trend  Micro  was  notified  on  28  June  2001.   The problem was
    escalated to their QA department on the same day.  No response.

    Do not  rely on  Trend Micro  AppletTrap for  URL filtering  until
    Trend Micro fixes the problems.