|
Vulnerability AppletTrap Affected Trend Micro AppletTrap 2.0 Description Following is based on a eDvice Security Services Advisory. Trend Micro AppletTrap is a product for blocking malicious Java applets, malicious JavaScript and unsecured ActiveX controls at the gateway. The product includes an option for URL filtering. eDvice recently conducted a test of AppletTrap's ability to filter URLs at the gateway. AppletTrap includes the ability to restrict access to selected URLs. It does not include the option to restrict access to all URLs except for selected URLs. AppletTrap includes some design and implementation flaws, which allow an attacker to easily bypass restrictions set by the product administrator. This can be used by internal users to bypass AppletTrap's restrictions and by authorized web servers to redirect the user to unauthorized web servers. eDvice found four problems with AppletTrap's URL filtering mechanism: 1) Double slash: Restricted access to http://source.com/restricted could be bypassed by typing: http://source.com//restricted. 2) URL encoding: The same restriction could also be bypassed by typing: http://source.com/r%65stricted 3) Resolving IP addresses: The same restriction could be bypassed by typing the IP address of source.com instead of the domain name (the opposite scenario works as well. I.e. bypassing IP address restriction by using the domain name). 4) Dot notation: Restricting access to a certain IP address (e.g. http://192.16.100.100) could be bypassed by typing: http://192.016.100.100 or even http://00192.16.100.100 Solution Trend Micro was notified on 28 June 2001. The problem was escalated to their QA department on the same day. No response. Do not rely on Trend Micro AppletTrap for URL filtering until Trend Micro fixes the problems.