COMMAND

    Baltimore's WEBSweeper Script filtering

SYSTEMS AFFECTED

    Baltimore Technologies WEBSweeper 4.02

PROBLEM

    Following  is  based  on  a  eDvice  Security  Services  Advisory.
    WEBsweeper  is  Baltimore   Technologies'  Web  Content   Security
    solution.   It  enables  customers  to  implement Content Security
    policies on Web, HTTP and passive FTP transfers.

    eDvice  recently  conducted  a  test  of  WEBSweeper's  ability to
    filter Scripts at  the gateway.   WEBSweeper includes the  ability
    to filter script from HTML code.

    WEBSweeper includes  some design  and implementation  flaws, which
    allow  an  attacker  to  bypass  restrictions  set  by the product
    administrator and introduce malicious code into an organization.

    eDvice  found  three  problems  with WEBSweeper's Script filtering
    mechanism:

    1) By  adding an  extra opening  angled bracket  before the SCRIPT
       tag,  the  tag  will  be  left  unmodified  by WEBSweeper.  The
       browser however, will execute the contained script.  Example:

        <<SCRIPT language="javascript">
        alert("This should have been filtered");
        </SCRIPT>

    2) The following crafted html code:

        <SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">
        alert("This should have been filtered");
        </SCRIPT>

       will  be  transformed  by  the  WEBsweeper  filter to yield the
       following result:
        
        <SCRIPT language="javascript">
        alert("This should have been filtered");
        </SCRIPT>

    3) WEBSweeper  does not  recognize and  does not  filter scripting
       tags constructed using extended Unicode notation.

SOLUTION

    Nothing yet.