COMMAND

	    Baltimore's WEBSweeper Script filtering

	

	

SYSTEMS AFFECTED

	    Baltimore Technologies WEBSweeper 4.02

	

	

PROBLEM

	    Following  is  based  on  a  eDvice  Security  Services  Advisory.

	    WEBsweeper  is  Baltimore   Technologies'  Web  Content   Security

	    solution.   It  enables  customers  to  implement Content Security

	    policies on Web, HTTP and passive FTP transfers.

	

	    eDvice  recently  conducted  a  test  of  WEBSweeper's  ability to

	    filter Scripts at  the gateway.   WEBSweeper includes the  ability

	    to filter script from HTML code.

	

	    WEBSweeper includes  some design  and implementation  flaws, which

	    allow  an  attacker  to  bypass  restrictions  set  by the product

	    administrator and introduce malicious code into an organization.

	

	    eDvice  found  three  problems  with WEBSweeper's Script filtering

	    mechanism:

	

	    1) By  adding an  extra opening  angled bracket  before the SCRIPT

	       tag,  the  tag  will  be  left  unmodified  by WEBSweeper.  The

	       browser however, will execute the contained script.  Example:

	
	        <<SCRIPT language="javascript">

	        alert("This should have been filtered");

	        </SCRIPT>

	

	    2) The following crafted html code:

	
	        <SC<SCRIPT language="javascript"> </SCRIPT>RIPT language="javascript">

	        alert("This should have been filtered");

	        </SCRIPT>

	

	       will  be  transformed  by  the  WEBsweeper  filter to yield the

	       following result:

	
	        <SCRIPT language="javascript">

	        alert("This should have been filtered");

	        </SCRIPT>

	

	    3) WEBSweeper  does not  recognize and  does not  filter scripting

	       tags constructed using extended Unicode notation.

	

	

SOLUTION

	 Update (06 August 2002)

	 ======

	

	The bug was fixed in November 2001 with the release of WEBsweeper 4.1.1
	

	You   can   get   the   latest   release    (currently    4.1.6)    from
	[http://www.clearswift.com]