COMMAND

    eSafe Gateway

SYSTEMS AFFECTED

    eSafe Gateway

PROBLEM

    eDvice Security  Services found  following.   eSafe Gateway  is an
    Internet  Content  Security  product.   You  can  configure  eSafe
    Gateway  to  remove  scripts  (VBScripts,  JavaScripts)  and other
    executable tags from incoming HTML documents.  Alternatively,  the
    administrator can  ban certain  scripting commands  from appearing
    inside scripts.  The banned  commands will  be removed,  while the
    rest of the HTML page is left intact.

    eDvice  recently  conducted  a  test  of eSafe's ability to remove
    scripts from HTML documents.  Although scripts are widely used  by
    many  web-sites,  some  organizations  requesting  to  allow  only
    limited use of Internet access from their internal network, prefer
    to disable scripting capabilities in order to avoid various known,
    as well as yet to be found, browser-based attacks.

    eSafe  ignores  scripting  language  commands embedded inside HTML
    tags.  This allows an attacker to bypass eSafe's script  filtering
    mechanism.

    HTML specification allows embedding of scripting language commands
    in various tags, such as <BODY>, <BUTTON>, <INPUT> and so on.  The
    scripting commands can be included as an attribute of the tag, and
    executed under various conditions. For example, commands  included
    within the ONLOAD  attribute of the  <BODY> tag are  automatically
    executed  when  the  page  is  loaded  into  the  browser.   eSafe
    completely ignores such  scripting commands, allowing  an attacker
    to bypass its script filtering mechanism and introducing malicious
    code into an organization. For example, the following  potentially
    harmful script will  go undetected by  eSafe, even if  the "remove
    all scripts" option is enabled:

        <A HREF="javascript:var fso = new
        ActiveXObject('Scripting.FileSystemObject');var a =
        fso.CreateTextFile('c:\\testfile2.txt', true);a.WriteLine('This is a
        test.');a.Close();">Click here</A>

    HREF is not the only tag  ignored.  Any tag capable of  containing
    scripting command will not be filtered by eSafe.  For example:

        <BODY onload="alert('hi');">

SOLUTION

    Aladdin  claims  that  this  issue  is  mentioned in the product's
    Release  Notes  of  29  May  2001.   We  find  eSafe's "remove all
    scripts" feature has a fundamental flaw.  Organizations that  wish
    to disable  scripting altogether,  are trying  to prevent  hostile
    sites  from  using  scripts  to  penetrate  their  systems.  These
    hostile sites  can easily  bypass eSafe  by adding  the code to an
    href tag  or any  other tag.   Even worse  is the  false sense  of
    security given  by Aladdin's  claim that  all scripts  are removed
    from the HTML files.