Saturday 22 September 2001
Various problems in Baltimore MailSweeper Script filtering
===========================================================
Product Background
--------------------
MAILsweeper is a Content Security solution for the gateway that allows
businesses to implement policy for Internet e-mail.
Scope
------
edvice recently conducted a test of MailSweeper's ability to filter Scripts
from HTML e-mail. MailSweeper includes the option to detect and remove
JavaScript and VBScript from incoming HTML e-mail.
The Findings
-------------
Two vulnerabilities in MailSweeper allows an attacker to bypass restrictions
set by the product administrator and to introduce malicious code into the
organization.
Details
--------
1. MailSweeper does not intercept correctly HTML encoded characters that
replace the string "javascript" or "vbscript" within certain HTML tags. As a
result, it is possible to bypass MailSweeper's script filtering.
For example:
<A HREF="javascript:alert('This part should be filtered')">Click here</A>
Or:
<IMG SRC="javascript:alert('This part should be filtered')">
2. Similar problem to the one we reported on WebSweeper applies for
MailSweeper as well. The following crafted html code:
<<IMG SRC="javascript:alert('This part should be filtered')">
Will go undetected by MailSweeper.
Version Tested
---------------
Baltimore Technologies MailSweeper 4.2
Status
-------
Baltimore Technologies was notified on 21 August 2001.
Discovered by edvice on 15 August 2001.
http://www.edvicesecurity.com/vul30.htm
support@edvicesecurity.com
