COMMAND

    eSafe Gateway

SYSTEMS AFFECTED

    Aladdin eSafe Gateway

PROBLEM

    eDvice Security  Services found  following.   eSafe Gateway  is an
    Internet  Content  Security  product.   You  can  configure  eSafe
    Gateway  to  remove  scripts  (VBScripts,  JavaScripts)  and other
    executable tags from incoming HTML documents.  Alternatively,  the
    administrator can  ban certain  scripting commands  from appearing
    inside scripts.   The banned commands  will be removed,  while the
    rest of the HTML page is left intact.

    eDvice  recently  conducted  a  test  of eSafe's ability to remove
    scripts from HTML documents.  Although scripts are widely used  by
    many  web-sites,  some  organizations  requesting  to  allow  only
    limited use of Internet access from their internal network, prefer
    to disable scripting capabilities in order to avoid various known,
    as well as yet to be found, browser-based attacks.

    eSafe does not recognize scripting tags constructed using extended
    Unicode notation.  This allows an attacker to bypass eSafe  script
    filtering  mechanism   and  introduce   malicious  code   into  an
    organization.

    eSafe gateway  analyzes the  incoming HTML  file and  searches for
    the keyword  "<SCRIPT'.   From the  moment the  keyword was found,
    eSafe looks for a following "</Script>" keyword and then  replaces
    the entire content between these keywords with spaces.

    However,  browsers  such  as  Internet  Explorer  accept  extended
    Unicode character representation within HTML files.  If the string
    "<SCRIPT" is replaced  with some extended  Unicode representation,
    then eSafe will not  filter the tag and  the browser will run  the
    script.

    To repeat this  vulnerability, place the  file on your  web server
    and configure eSafe to remove all scripts.  Access the file  using
    the browser and you will  see the message "hello" on  your screen.
    This is a message generated by a VBScript script that should  have
    been filtered.

    Below is mimed zip of HTML file mentioned above

    ---
    Content-Type: application/octet-stream; name="script38.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="script38.zip"
    Content-MD5: eX2itEm3Udm+kb6kfo01hA==
    
    UEsDBBQAAAAIAEdxvSqz9PjqwgAAAP8AAAAOAAAAc2NyaXB0MzhhLmh0bWw9j8EKgkAQhu9B
    7zDs3ewUQa5gtWWQCrUFHTfbcmFzTceo5+h1IuzNUqxOH/zzz8eM4/Ng6XY7js+8acOAcQ9C
    L2CUzFnIVh6PVgQmJkWZIiWBinNTmCPCVhWl0LDG8qAMDHp98l+Pf22UN7QTPOsRxInIC4l0
    w2fWkECCmFnyUqor/botfs9ko+ALvmSuY7esA/t32zia7mpWz/cjzlWGoEV6KsVJ0uv+G1Uv
    oWWOQHyptSHV0/4PGtPYHO6tsn37A1BLAQIUABQAAAAIAEdxvSqz9PjqwgAAAP8AAAAOAAAA
    AAAAAAEAIAC2gQAAAABzY3JpcHQzOGEuaHRtbFBLBQYAAAAAAQABADwAAADuAAAAAAA=
    
    -----

SOLUTION

    Do not rely on eSafe Gateway version 3.0 for HTML filtering  until
    Aladdin fixes the problem.   Aladdin will publish a workaround  to
    avoid this vulnerability and will  address this issue in the  next
    release of eSafe Gateway.