Vulnerability

    eSafe Gateway

Affected

    Aladdin eSafe Gateway 2.x

Description

    eDvice Security  Services found  following.   eSafe Gateway  is an
    Internet  Content  Security  product.   You  can  configure  eSafe
    Gateway  to  remove  scripts  (VBScripts,  JavaScripts)  and other
    executable tags from incoming HTML documents.  Alternatively,  the
    administrator can  ban certain  scripting commands  from appearing
    inside scripts.   The banned commands  will be removed,  while the
    rest of the HTML page is left intact.

    eDvice  recently  conducted  a  test  of eSafe's ability to remove
    scripts from HTML documents.  Although scripts are widely used  by
    many  web-sites,  some  organizations  requesting  to  allow  only
    limited  use  of  Internet  access  from  their  internal network,
    prefer  to  disable  scripting  capabilities  in  order  to  avoid
    various known, as well as yet to be found, browser-based attacks.

    eSafe gateway  analyzes the  incoming HTML  file and  searches for
    the keyword  "<SCRIPT'.   From the  moment the  keyword was found,
    eSafe looks for a following "</Script>" keyword and then  replaces
    the entire content between these keywords with spaces.

    On version 2.X  of eSafe Gateway,  if a "<SCRIPT"  keyword follows
    another  "<SCRIPT"  keyword,  without  any "</SCRIPT>" in between,
    eSafe  ignores  the  first  "<SCRIPT".   This  behavior allows the
    attacker to  bypass eSafe's  filtering mechanism,  as demonstrated
    above.

    However, it seems  that in the  release version of  eSafe 3.0, the
    first "<SCRIPT"  keyword is  not ignored,  and hence  this type of
    attack fails.

    Let's say  for example  that we  want the  following HTML  code to
    enter an organization and the script it contains to be executed:

        <HTML><HEAD></HEAD>
        <BODY>
        <SCRIPT language="JavaScript">
        alert("hi");
        </SCRIPT>
        </BODY></HTML>

    If we run this page  through eSafe's filtering engine, the  script
    will be filtered and the resulting with the following HTML code:

        <HTML><HEAD></HEAD>
        <BODY>
        
        </BODY></HTML>

    However, if we create the following code:

        <HTML><HEAD></HEAD>
        <BODY>
        <SCRIPT<script language="javascript"> </script> language="javascript">
        alert("hi");
        </SCRIPT>
        </BODY></HTML>

    Then the inner "<script language="javascript"> </script>" will  be
    extracted and we will be left with the following HTML code:

        <HTML><HEAD></HEAD>
        <BODY>
        <SCRIPT language="javascript">
        alert("hi");
        </SCRIPT>
        </BODY></HTML>

Solution

    Do  not  rely  on  eSafe  Gateway  version 2.X for HTML filtering.
    eSafe Gateway 3.0 is not vulnerable to this attack.