Phase:Baltimore Technologies WEBsweeper 4.02, when used to manage URL blacklists, allows remote attackers to bypass blacklist restrictions and connect to unauthorized web servers by modifying the requested URL, including (1) a // (double slash), (2) a /SUBDIR/.. where the desired file is in the parentdir, (3) a /./, or (4) URL-encoded characters.
ReferencesBUGTRAQ:Wednesday, September 05, 2001 Various problems in Baltimore WebSweeper URL filtering | URL:http://www.securityfocus.com/archive/1/212283 | MISC:http://www.mimesweeper.com/support/technotes/notes/1043.asp | BID:3296 | URL:http://www.securityfocus.com/cg
Votes:Proposed (Friday, March 15, 2002)
Comments: ACCEPT(2) Baker, Foat | MODIFY(1) Frech | NOOP(4) Cole, Armstrong, Green, Wall | REJECT(1) Ziese
F7: Ziese> ACCEPT REASON: Rejection logic makes sense, products have to be used as | intended. Misuse is not a security vulnerability per se. | Frech> XF:content-slash-bypass-filter(6816) | Baker> I would say that this is a vulnerability, since their website | touts URL filtering as a feature of the product. If the product has to | filter URL's then the product needs to be able to filter URL's properly, | or the product fails. | Here is the list of features, quoted from their product page for | web sweeper: | | "Key Features | Policy based web security implementation for information posted to and downloaded from the web | Protects against unauthorized users accessing the web utilizing user authentication | Provides URL filtering blocking stopping inappropriate site access | Protects against loss of confidential information, viruses, portable code, and inappropriate content entering and | leaving via web based e-mail accounts such as hotmail and Yahoo | Auditing and reporting on individual and group web traffic | Customizable "Block" and "Progress Message" pages "