De: "edvice Security Services" À: Objet: Various problems in Baltimore WebSweeper URL filtering Date : jeudi 6 septembre 2001 06:28 Tuesday 4 September 2001 Various problems in Baltimore WebSweeper URL filtering ====================================================== Product Background ------------------ WEBSweeper is Baltimore Technologies' Web Content Security solution. It enables customers to implement Content Security policies on Web, HTTP and passive FTP transfers. Scope ----- edvice recently conducted a test of WebSweeper's ability to filter URLs at the gateway. WebSweeper includes the ability to restrict access to selected URLs. The Findings ------------- WebSweeper includes some design and implementation flaws, which allow an attacker to easily bypass restrictions set by the product administrator. This can be used by internal users to bypass WebSweeper's restrictions and by authorized web servers to redirect the user to unauthorized web servers. Details -------- At least the following methods can be used to bypass the restricted URL: http://source.com/restricted The methods are: 1) http://source.com//restricted 2) http://source.com/blabla/../restricted 3) http://source.com/./restricted 4) http://source.com/r%65stricted Version Tested -------------- Baltimore Technologies WebSweeper 4.02 Status ------- Baltimore was notified on August 1 2001 and released the following technote on September 4 2001: http://www.mimesweeper.com/support/technotes/notes/1043.asp Baltimore claims that it is not practical to use WEBsweeper to manage blacklists. For those of you who intend to read Baltimore's technote, please mind that some of the examples in the technote as well as in the reference attached to the technote, discuss obscuring URLs at the BROWSER level. These examples are not supposed to work with Proxy servers and Gateways such as WebSweeper. These examples are usually being used by spammers to obscure a URL displayed to users. They usually can't be used by users to bypass a Proxy or a Gateway URL filter (unless the filter includes additional design and implementation flaws). edvice Security Services http://www.edvicesecurity.com/vul29.htm support@edviceSecurity.com